The Lazarus APT group, a state-sponsored threat actor linked to North Korea, has introduced a new Remote Access Trojan (RAT) named ScoringMathTea. This sophisticated malware, developed in C++, is reportedly being utilized in Operation DreamJob, a campaign specifically targeting companies involved in Unmanned Aerial Vehicle (UAV) technology supplied to Ukraine. The objective appears to be the acquisition of sensitive production data and intellectual property.
ScoringMathTea’s emergence marks a potential escalation in cyber espionage capabilities, offering advanced features for remote command execution and persistent network access. The malware’s architecture is designed to circumvent security measures, posing a significant challenge to cybersecurity defenses. Its deployment through two distinct kill chains underscores the group’s evolving operational tactics and their focus on high-value targets within the defense sector.
Lazarus APT Group’s ScoringMathTea Enhances Remote Command Execution
The ScoringMathTea RAT provides attackers with extensive control over compromised systems, enabling a range of malicious activities. Its core functionalities include the ability to execute commands remotely, load plugins entirely in memory, and establish multiple persistence mechanisms. These features allow threat actors to maintain a covert presence within affected networks for extended periods, facilitating ongoing data exfiltration and further network compromise.
A key aspect of ScoringMathTea’s design is its sophisticated evasion strategy. Security researchers have noted its implementation of multiple layers of obfuscation techniques aimed at bypassing both network and endpoint security solutions. This focus on stealth is critical for Lazarus APT’s operations, allowing them to operate undetected for longer durations.
According to security analyst 0x0d4y, the malware employs a custom polyalphabetic substitution cipher for string deobfuscation at runtime. This method utilizes a 64-character lookup table and a dynamically changing key state, significantly hampering static analysis efforts and making it difficult for security tools to extract configuration details directly from the malware’s code.
The threat actors have been observed targeting companies that provide Unmanned Aerial Vehicle technology. This strategic targeting suggests a motive to gain intelligence on advanced defense systems and potentially disrupt supply chains related to the conflict in Ukraine.
Advanced Detection Evasion Through Dynamic API Resolution
ScoringMathTea distinguishes itself through its advanced dynamic API resolution, a technique designed to circumvent common security monitoring. Instead of directly calling Windows APIs, which are often hooked by security software, ScoringMathTea resolves these API calls at runtime. This is achieved through a custom hashing algorithm that uses a fixed seed value of 0x2DBB955 and incorporates bit-shifted hash operations along with character ASCII values.
This dynamic resolution, combined with its use of PEB Walking to locate essential libraries like kernel32.dll independently, effectively blinds traditional API hooking mechanisms. This allows the malware to execute its functions without alerting security software that relies on monitoring these API interactions.
Communication with command and control (C2) servers is secured through a multi-layered encryption process. Initial payloads are compressed, then encrypted using either the TEA or XTEA algorithm in CBC mode, and finally encoded with Base64. To further mask its network traffic, ScoringMathTea spoofs the user agent of a legitimate Microsoft Edge browser. This technique helps its communications blend in with normal internet activity, making detection via network signature analysis exceedingly challenging.
A particularly noteworthy capability of ScoringMathTea is its reflective plugin loading. This allows attackers to download and execute arbitrary code entirely within the system’s memory, without writing any files to the disk. This fileless execution method is a highly effective way to evade endpoint detection and response (EDR) solutions that focus on file-based indicators of compromise. The malware also incorporates an inline CRC32 checksum verification to detect and thwart debugging attempts.
The sophistication of ScoringMathTea positions it as a significant threat requiring immediate attention from organizations involved in critical infrastructure, particularly those within the aerospace and defense sectors dealing with advanced technologies like UAVs. Continued monitoring of Lazarus APT’s activities and the evolution of their toolset, such as ScoringMathTea, will be crucial for maintaining effective cybersecurity defenses against these persistent threats.