The Lazarus APT Group has unveiled a brand new Distant Entry Trojan known as ScoringMathTea, representing a major development of their cyberattack capabilities.
This C++ based mostly malware was recognized as a part of Operation DreamJob, a marketing campaign aligned with the North Korean authorities.
The risk actors have been focusing on corporations that present Unmanned Aerial Automobile know-how to Ukraine, aiming to steal essential manufacturing information and mental property.
ScoringMathTea is distributed via two distinct kill chains and gives operators with complete management over compromised programs.
The malware permits distant command execution, in-memory plugin loading, and varied persistence mechanisms that permit attackers to take care of long-term entry to contaminated networks.
What makes this risk significantly harmful is its refined structure designed particularly to evade detection throughout each community and endpoint safety programs.
A safety analyst and researcher, 0x0d4y, famous that ScoringMathTea implements a number of layers of obfuscation and evasion methods.
The malware employs a customized polyalphabetic substitution cipher with chaining to deobfuscate strings at runtime, making static evaluation considerably more difficult for safety groups.
Execution chains (Supply – 0x0d4y)
The decryption mechanism makes use of a 64-character lookup desk and maintains a dynamic key state that adjustments with every character, successfully stopping easy string extraction instruments from revealing its configuration particulars.
Superior Detection Evasion Via Dynamic API Decision
The malware’s most notable defensive function includes its implementation of API hashing for dynamic decision. Somewhat than calling Home windows APIs straight, ScoringMathTea resolves APIs at runtime utilizing a customized hashing algorithm.
The algorithm operates with a set seed worth of 0x2DBB955 and combines character ASCII values with bit-shifted hash operations.
This method, mixed with PEB Strolling to find kernel32.dll independently, permits the malware to bypass conventional API hooking mechanisms employed by safety software program.
Communication with the command and management server happens over HTTP or HTTPS utilizing multi-layered encryption. The malware first compresses payloads, then encrypts them utilizing a TEA or XTEA algorithm in CBC mode, and at last applies Base64 encoding.
Moreover, ScoringMathTea spoofs a legit Microsoft Edge browser person agent to mix its site visitors with regular community exercise, making detection via community signatures extraordinarily tough.
The malware’s core energy lies in its reflective plugin loading functionality, which permits operators to obtain and execute arbitrary code solely inside reminiscence with out ever writing recordsdata to disk.
This method manually implements the Home windows Loader and consists of an inline CRC32 checksum verification to detect debugger tampering.
Via these refined mechanisms, ScoringMathTea represents a mature risk that calls for instant consideration from safety groups monitoring superior persistent threats.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
