SECURITY researchers from Fox-IT have analyzed a sophisticated cyber espionage operation by a North Korean threat group targeting international financial institutions. This operation involves a new 'Lazarus memory-only toolset' that minimizes digital footprints on compromised systems. The toolset includes three key malware components: DPAPILoader, RemotePELoader, and RemotePE.
1. **First Stage - DPAPILoader**: This dynamically linked library ensures persistence by operating as a disguised service, decrypting and loading malicious payloads without leaving traces on disk.
2. **Second Stage - RemotePELoader**: This component retrieves payloads while employing evasion techniques to avoid detection by security software. It modifies system libraries to bypass security hooks and suppresses telemetry data.
3. **Final Stage - RemotePE**: A fully functional remote access Trojan (RAT) that operates entirely in memory, with capabilities to manage connections and securely delete sensitive files.
The command infrastructure uses shared hosting services to disguise malicious traffic, making traditional blocking ineffective. To counteract these threats, organizations should shift to host-based behavioral detection methodologies and monitor for unusual directory paths and network anomalies. Proactive threat hunting is essential to prevent data theft.