Lazarus RemotePE: Evading Defenses with Memory-Only RATs

Just caught the write-up from Fox-IT regarding the Lazarus Group's new campaign targeting financial and crypto firms. They're leveraging a cross-platform, memory-only RAT called RemotePE.

What stands out is the delivery mechanism. It uses a two-stage loader process: DPAPILoader and RemotePELoader. The DPAPILoader component is particularly concerning because it leverages the Windows Data Protection API (DPAPI) to decrypt the next stage, effectively bypassing standard static analysis since the payload often doesn't touch the disk.

Since RemotePE runs entirely in memory, traditional file-based AV signatures are mostly useless here. We need to focus on behavioral monitoring and memory scanning.

For those running Sysmon, you might want to hunt for unsigned modules loading into memory without a corresponding file on disk. Here is a basic KQL query to get started hunting for these anomalies:

Sysmon
| where EventID == 7
| where isnull(FileName) or FileName == ""
| summarize count() by Image, ImageLoaded, Signed
| where Signed == "false"

Also, keep an eye on CryptUnprotectData API calls from unusual parent processes, as that's a strong indicator of the DPAPILoader activity.

How are you guys handling memory-only threats in your environments? Are you relying on specific EDR memory scanners, or are you looking at kernel-level telemetry?