Lazarus RemotePE RAT: Detection and Defense Against Memory-Only Financial Attacks

The Lazarus Group (APT38) has intensified its campaigns against the financial and cryptocurrency sectors with a sophisticated evolution of its toolset: RemotePE, a memory-only Remote Access Trojan (RAT). Unlike traditional malware that drops files on the disk, RemotePE operates entirely within system memory, utilizing reflective PE (Portable Executable) loading techniques to evade standard file-based antivirus signatures.

This is not a theoretical risk. Active exploitation has been confirmed against high-value targets holding liquid assets. For defenders, the "fileless" nature of this threat shifts the battlefield from static file analysis to behavioral monitoring and memory forensics. If your organization relies solely on disk-based scanning, you are currently blind to this intrusion.

Technical Analysis

Affected Products & Platforms

Platforms: Microsoft Windows (widely targeted versions including Windows 10 and Windows 11).
Vectors: Spear-phishing attachments (often weaponized Office documents), supply-chain compromises, or initial access brokers leveraging valid credentials.

Vulnerability & Exploitation Mechanics

RemotePE does not exploit a specific software CVE in the traditional sense; rather, it exploits the Windows memory model and standard API usage.

Attack Chain:
1. Initial Access: User executes a malicious macro or script (often PowerShell or VBScript).
2. Loader Execution: A shellcode or loader runs in memory, reaching out to C2 infrastructure to fetch the RemotePE payload.
3. Reflective Injection: The payload is loaded directly into the memory space of a legitimate process (e.g., explorer.exe, svchost.exe, or notepad.exe) using APIs like VirtualAlloc, CreateThread, or manual mapping. This bypasses the Windows Loader.
4. Execution: The malicious PE executes instructions (RAT capabilities) without ever touching the disk.
Exploitation Status: Confirmed Active Exploitation (ITW).

Risk Assessment

Because RemotePE runs in the memory of a trusted process, it inherits the process's permissions and can blend in with normal network traffic. It facilitates:

Credential theft (mimikatz-style memory dumping).
Lateral movement.
Exfiltration of private keys and financial data.

Detection & Response

Detecting memory-only malware requires identifying the behavior of injection and execution rather than the file itself. Below are high-fidelity detection rules tuned to catch the TTPs associated with Lazarus and reflective PE loading.

SIGMA Rules

YAML

---
title: Potential RemotePE Injection via Process Hollowing
id: a4b3c2d1-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects process creation with the CREATE_SUSPENDED flag (0x00000004) often used in Process Hollowing techniques to inject malicious PEs like RemotePE.
references:
 - https://attack.mitre.org/techniques/T1055/012/
author: Security Arsenal
date: 2026/05/12
tags:
 - attack.defense_evasion
 - attack.t1055.012
 - attack.privilege_escalation
logsource:
 category: process_creation
 product: windows
detection:
  selection:
    CommandLine|contains: 'CreateProcess'
    CreationFlags|contains: '0x00000004'
  filter_legitimate:
    Image|endswith:
      - '\\chrome.exe'
      - '\firefox.exe'
      - '\\msedge.exe'
falsepositives:
 - Legitimate application installers or updaters
level: high
---
title: Suspicious Process Access indicative of Remote Thread Creation
id: b5c4d3e2-f6a7-5b6c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects specific process access rights (PROCESS_CREATE_THREAD, PROCESS_VM_WRITE) often requested before injecting code into remote processes.
references:
 - https://attack.mitre.org/techniques/T1055/
author: Security Arsenal
date: 2026/05/12
tags:
 - attack.defense_evasion
 - attack.t1055
 - attack.privilege_escalation
logsource:
 category: process_access
 product: windows
detection:
  selection:
    GrantedAccess|contains:
      - '0x1A' # PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ
      - '0x143A' # Common for CreateRemoteThread injection
      - '0x2' # PROCESS_CREATE_THREAD
    SourceImage|endswith:
      - '\\powershell.exe'
      - '\\cmd.exe'
      - '\\wscript.exe'
      - '\\cscript.exe'
  condition: selection
falsepositives:
 - Browser processes (Chrome/Edge) accessing other tabs
level: high
---
title: PowerShell Reflective PE Loading
id: c6d5e4f3-a7b8-6c7d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects PowerShell commands indicative of reflective PE loading, a core mechanic of RemotePE.
references:
 - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/05/12
tags:
 - attack.execution
 - attack.t1059.001
logsource:
 category: process_creation
 product: windows
detection:
  selection_keywords:
    CommandLine|contains:
      - 'System.Reflection.Assembly'
      - 'VirtualAlloc'
      - 'Delegate'
      - 'InvokeMember'
  selection_suspicious:
    CommandLine|contains:
      - 'LoadFrom'
      - 'UnsafeNativeMethods'
  condition: all of selection_*
falsepositives:
 - Rare legitimate system administration scripts
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for suspicious Remote Thread Creation (Process Injection)
// Look for processes granting high access rights to other processes
DeviceProcessEvents
| where ActionType has \"ProcessAccess\" 
| extend GrantedAccessInt = toint(GrantedAccess)
| where GrantedAccessInt has_any (0x0010, 0x0020, 0x0008, 0x001F0FFF) // VM_WRITE, VM_OPERATION, VM_QUERY, ALL_ACCESS
| where InitiatingProcessFolderPath !has \"Program Files\" 
and InitiatingProcessFolderPath !has \"Program Files (x86)\"
and InitiatingProcessFolderPath !has \"Windows\\\System32\"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, TargetProcessFileName, GrantedAccess
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor

-- Hunt for suspicious memory regions (EXECUTE_WRITECOPY or EXECUTE_READWRITE)
-- indicative of unpacking or reflective loading in user processes
SELECT Pid, Name, CommandLine, StartAddress, Size, Protection, Name as SectionName
FROM process_vads()
WHERE Protection =~ 'EXEC'
  AND NOT IsMemMapped
  AND Name =~ '(non-mapped memory)'
  AND Size > 1000000 -- Filter for large allocations typical of packed PEs

Remediation Script (PowerShell)

PowerShell

<#
.SYNOPSIS
    Audit and Response Script for RemotePE/Memory Injection Indicators.
.DESCRIPTION
    Checks for unsigned modules loaded into critical processes (common in fileless attacks)
    and identifies processes with suspicious handles. Run as Administrator.
#>

Write-Host \"[+] Starting RemotePE Audit...\" -ForegroundColor Cyan

# Function to check for unsigned DLLs in high-risk processes
function Get-UnsignedModules {
    param ($ProcessName)
    
    $processes = Get-Process -Name $ProcessName -ErrorAction SilentlyContinue
    foreach ($proc in $processes) {
        Write-Host \"[ ] Auditing Process: $($proc.ProcessName) (PID: $($proc.Id))\" -ForegroundColor Yellow
        foreach ($module in $proc.Modules) {
            # Check if file exists and is valid (module might be strictly in memory)
            if ($module.FileName -and (Test-Path $module.FileName)) {
                $sig = Get-AuthenticodeSignature $module.FileName
                if ($sig.Status -ne 'Valid') {
                    Write-Host \"    [!] ALERT: Unsigned or Invalid Module found: $($module.FileName)\" -ForegroundColor Red
                }
            } elseif (-not $module.FileName) {
                Write-Host \"    [!] ALERT: Memory-Only Module detected (Potential Shellcode/PE): $($module.ModuleName)\" -ForegroundColor Red
            }
        }
    }
}

# Audit critical processes often abused by Lazarus RemotePE
Get-UnsignedModules -ProcessName \"explorer\"
Get-UnsignedModules -ProcessName \"svchost\"

Write-Host \"[+] Audit Complete.\" -ForegroundColor Green
Write-Host \"[!] If memory-only modules or unsigned DLLs are found in svchost/explorer, consider immediate isolation and memory dump acquisition.\" -ForegroundColor Red

Remediation

Immediate containment and long-term hardening are required to mitigate the RemotePE threat.

Immediate Actions

Isolate: If RemotePE is detected, isolate the infected host from the network immediately to prevent lateral movement and C2 communication.
Memory Acquisition: Do not reboot the server. Acquire a full memory dump (e.g., using Magnet RAM Capture or WinPmem) for forensic analysis. Rebooting will wipe the evidence as it is memory-resident.
Credential Reset: Assume credentials have been compromised. Force a reset for all accounts used on the affected machine, particularly privileged and crypto-wallet access accounts.

Hardening & Mitigation

Attack Surface Reduction (ASR) Rules: Enable the "Block all Office applications from creating child processes" and "Block Win32 API calls from Office macro" ASR rules in Microsoft Defender. This kills the initial delivery vector for Lazarus.
Disable Macros: Group Policy Object (GPO) to prevent macros from running in Office documents from the internet.
- Path: User Configuration -> Administrative Templates -> Microsoft Office 2016/2019/365 -> Security -> Trust Center -> Trusted Locations
AMSI Integration: Ensure Antimalware Scan Interface (AMSI) is enabled. PowerShell scripts attempting to load assemblies into memory are often intercepted by AMSI before execution.
Network Segmentation: Critical systems holding crypto assets or financial data must be on a strict VLAN with no direct internet access and jump-host access only.

Vendor Guidance

There is no specific patch for "RemotePE" as it is an attack methodology, not a software bug. Defense relies on:

Updating Endpoint Detection and Response (EDR) sensors to the latest versions to ensure latest behavioral engines are active.
Reviewing CISA KEV (Known Exploited Vulnerabilities) catalog for associated initial access vectors (e.g., old Exchange bugs or VPN exploits) and patching those immediately.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub