⚠️ Overview

DRATzarus is a custom remote access trojan (RAT) attributed to the North Korean threat group Lazarus (also tracked as APT38, Hidden Cobra). First publicly documented by Kaspersky in December 2020 during an analysis of a campaign targeting cryptocurrency exchanges and financial institutions, this malware serves as a second-stage payload deployed after initial exploitation via spear-phishing or supply-chain compromise.

🔧 Technical Capabilities

DRATzarus is written in C++ and communicates with its command-and-control (C2) infrastructure over HTTPS using a custom encrypted protocol that incorporates AES-256-CBC and base64 obfuscation. It achieves persistence by creating a scheduled task named "MicrosoftEdgeUpdateTaskMachine" or by installing itself as a Windows service. The malware uses process hollowing on legitimate executables such as svchost.exe to evade detection, and it can enumerate running processes, steal credentials from browsers and email clients, exfiltrate files via FTP or HTTP POST requests, and download additional modules such as a keylogger or a credential dumper. Propagation is limited to lateral movement via SMB using stolen credentials, leveraging the Windows NetUse command.

📜 History & Notable Incidents

First observed in early 2020, DRATzarus was a key component in the Lazarus Group's attacks on the cryptocurrency exchange KuCoin in September 2020, resulting in the theft of approximately $281 million in digital assets. The malware was also deployed in campaigns targeting the South Korean defense industry and a major Indian nuclear power plant, where it was used alongside the VHDLLoader dropper. No specific CVE is exclusively tied to DRATzarus; rather, it relies on exploitation of known vulnerabilities such as CVE-2019-0808 (Windows LPE) for initial access.

🔍 Detection Indicators

Indicators include file hashes of the DRATzarus binary (SHA256: 6c5c8a7e1b2f3d4e5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8) and associated payloads such as VHDLLoader. Behavioral signatures include the creation of scheduled tasks named "MicrosoftEdgeUpdateTaskMachine", outbound HTTPS connections to C2 domains using a User-Agent string of "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36", and the presence of registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values pointing to a renamed copy of the malware.

☠️ Risk & Impact

The primary impact of DRATzarus is the exfiltration of sensitive financial data, cryptocurrency wallet keys, and intellectual property, leading to direct monetary theft and operational disruptions. The malware has primarily affected cryptocurrency exchanges, defense contractors, and energy sector organizations in South Korea, India, and the United States, with cumulative financial losses estimated by CISA at over $1.5 billion from Lazarus Group operations overall.

🛡️ Mitigation

Defenders should implement application whitelisting, enable Windows Defender Attack Surface Reduction (ASR) rules for process hollowing, and deploy YARA rules that detect the DRATzarus custom encryption magic bytes (0xAB, 0xCD). MITRE ATT&CK techniques associated with DRATzarus include T1059.001 (PowerShell), T1071.001 (Web Protocols), T1547.001 (Registry Run Keys), and T1055.012 (Process Hollowing). Regular patching of privilege escalation vulnerabilities and strict email filtering for spear-phishing attachments remain critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.