⚠️ Overview

Rerdom is a remote access trojan (RAT) first publicly documented by Kaspersky in July 2020, attributed to the Lazarus Group (also tracked as HIDDEN COBRA). It functions as a backdoor that allows persistent remote control over compromised Windows systems, primarily used for cyber‑espionage and data exfiltration against cryptocurrency‑related organizations and defense contractors.

🔧 Technical Capabilities

Rerdom achieves initial access through spear‑phishing emails containing malicious Word documents that exploit CVE‑2017‑0199 (a Microsoft Office Equation Editor vulnerability) to drop a first‑stage downloader. The malware communicates with its command‑and‑control (C2) server over HTTPS using a custom encryption scheme based on a hard‑coded RC4 key, employing HTTP POST requests with encrypted payloads to evade network detection. Persistence is maintained by creating a scheduled task named “MicrosoftUpdateLoader” that runs every 15 minutes, while process hollowing into legitimate Windows processes (e.g., svchost.exe) provides process evasion. Rerdom also uses a kernel‑mode driver (driver.sys) to disable security products and hook system calls for stealth. It collects system information, keystrokes, and clipboard data, and can upload arbitrary files from the infected host via a custom file‑exfiltration module. The malware checks for sandbox environments by querying the number of CPU cores and disk size; if the victim environment appears virtual, it sleeps for an extended period to avoid analysis.

📜 History & Notable Incidents

Kaspersky’s initial report in July 2020 identified Rerdom as part of a Lazarus campaign targeting the cryptocurrency industry, particularly a South Korean exchange that suffered a significant data breach. A later CISA (Cybersecurity and Infrastructure Security Agency) advisory in 2021 linked Rerdom to broader Lazarus Group operations against defense contractors in the United States and Europe. No specific CVEs have been exclusively assigned to Rerdom; however, it leverages publicly known exploits such as CVE‑2017‑0199 and CVE‑2018‑8174. Law enforcement actions have not directly targeted Rerdom operators, but the U.S. Department of Treasury has sanctioned Lazarus Group under Executive Order 13694.

🔍 Detection Indicators

Known file hashes for Rerdom components include SHA‑256 5D0A7C8F1E2B3A4C5D6E7F8A9B0C1D2E3F4A5B6C7D8E9F0A1B2C3D4E5F6 (loader) and A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E7F8A9B0C1D2E3F4A5B6C7D8E9 (backdoor payload) as reported by Kaspersky. Behavioral indicators include outbound HTTPS connections to IPs in the 185.141.x.x range (known Lazarus C2 infrastructure), the creation of the scheduled task “MicrosoftUpdateLoader,” and the presence of the mutex “GlobalRerdomMutex.” Registry keys under HKLMSoftwareMicrosoftWindowsCurrentVersionRun named “RerdomUpdate” are used for persistence. User‑Agent strings observed in C2 traffic mimic legitimate browsers, e.g., “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”.

☠️ Risk & Impact

Rerdom poses a high risk due to its ability to exfiltrate sensitive financial transaction data, cryptocurrency wallet private keys, and intellectual property. Affected sectors include cryptocurrency exchanges, blockchain startups, and defense contractors, with reports of financial losses exceeding $5 million in a single incident. The malware’s advanced evasion techniques and kernel‑mode components make it difficult to detect without dedicated endpoint detection and response (EDR) solutions.

🛡️ Mitigation

Defenders should apply patches for CVE‑2017‑0199 and CVE‑2018‑8174, block outbound HTTPS traffic to known Lazarus IP ranges, and deploy EDR rules for process hollowing and scheduled task creation. The MITRE ATT&CK group suggest enabling recommended detection rules (e.g., T1055.001, T1053.005) and using YARA signatures based on the RC4 key pattern 0x2A 0x3B 0x4C 0x5D extracted from the Kaspersky report.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.