Lazarus APT Group New ScoringMathTea RAT Enables Remote Command Execution Among Other Capabilities

The Lazarus APT Group has unveiled a new Remote Access Trojan called ScoringMathTea, representing a significant advancement in their cyberattack capabilities.

This C++ based malware was identified as part of Operation DreamJob, a campaign aligned with the North Korean government.

The threat actors have been targeting companies that provide Unmanned Aerial Vehicle technology to Ukraine, aiming to steal critical production knowledge and intellectual property.

ScoringMathTea is distributed through two distinct kill chains and provides operators with comprehensive control over compromised systems.

The malware enables remote command execution, in-memory plugin loading, and various persistence mechanisms that allow attackers to maintain long-term access to infected networks.

What makes this threat particularly dangerous is its sophisticated architecture designed specifically to evade detection across both network and endpoint security systems.

A security analyst and researcher, 0x0d4y, noted that ScoringMathTea implements multiple layers of obfuscation and evasion techniques.

The malware employs a custom polyalphabetic substitution cipher with chaining to deobfuscate strings at runtime, making static analysis significantly more challenging for security teams.

The decryption mechanism uses a 64-character lookup table and maintains a dynamic key state that changes with each character, effectively preventing simple string extraction tools from revealing its configuration details.

Advanced Detection Evasion Through Dynamic API Resolution

The malware’s most notable defensive feature involves its implementation of API hashing for dynamic resolution. Rather than calling Windows APIs directly, ScoringMathTea resolves APIs at runtime using a custom hashing algorithm.

The algorithm operates with a fixed seed value of 0x2DBB955 and combines character ASCII values with bit-shifted hash operations.

This technique, combined with PEB Walking to locate kernel32.dll independently, enables the malware to bypass traditional API hooking mechanisms employed by security software.

Communication with the command and control server occurs over HTTP or HTTPS using multi-layered encryption. The malware first compresses payloads, then encrypts them using a TEA or XTEA algorithm in CBC mode, and finally applies Base64 encoding.

Additionally, ScoringMathTea spoofs a legitimate Microsoft Edge browser user agent to blend its traffic with normal network activity, making detection through network signatures extremely difficult.

The malware’s core strength lies in its reflective plugin loading capability, which allows operators to download and execute arbitrary code entirely within memory without ever writing files to disk.

This technique manually implements the Windows Loader and includes an inline CRC32 checksum verification to detect debugger tampering.

Through these sophisticated mechanisms, ScoringMathTea represents a mature threat that demands immediate attention from security teams monitoring advanced persistent threats.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.