RemotePE
Overview
RemotePE is a plugin-based remote-access backdoor family primarily distributed as an x64 PE32+ DLL, historically attributed (medium confidence) to Lazarus Group via MalwareBazaar/OpenCTI labels. First observed samples date to at least late 2023, with builds continuing into 2024. The sample catalogued here (710f1530) is a May 2024 MSVC 14.38 build.
The family is characterized by a modular controller architecture, HTTP C2 over WININET, BCrypt-secured communications, ZIP/Cabinet archive handling for payload staging, and distinctive anti-forensics through Azure Application Insights telemetry cookie masquerade.
Build-Stack Typically Observed
- Compiler: MSVC 14.38+ (Visual Studio 2022), often with POGO (Profile-Guided Optimization) enabled.
- Format: PE32+ x64 DLL, GUI subsystem, no exports (loaded reflectively or via rundll32).
- Security features: Full Control-Flow Guard (CFG) and GuardXFG enabled; NX/DYNAMIC_BASE/HIGH_ENTROPY_VA set. Unsigned.
- Dependencies:
WININET.dll(HTTP),bcrypt.dll(AES/SHA-2/PBKDF2),CRYPT32.dll(DPAPI),Cabinet.dll(archive compression),libzippp(ZIP extraction),json11(JSON framing). - No packing: Plain DLL, no UPX or custom packer. Relies on process injection/residence for evasion.
Capabilities
http-wininet-c2-json-framedazure-telemetry-cookie-masqueradebcrypt-aes-encrypted-c2dpapi-local-secret-storageplugin-modular-rat-architecturezip-archive-payload-stagingcabinet-compression-exfiltoken-duplication-lateral-movementntdll-native-api-process-creationsystemfunction001-export— named export used by early RemotePE builds (Oct 2023) and other Lazarus tooling; absent in later siblings (Apr/May 2024).
Deploy / TTPs Typically Observed
| ATT&CK ID | Procedure |
|---|---|
| T1071.001 | Application Layer Protocol: Web Protocols — HTTP/S C2 via WININET with fake telemetry headers. |
| T1036.005 | Match Legitimate Name or Location — Azure Application Insights cookie and header impersonation. |
| T1001.003 | Data Obfuscation: Protocol Impersonation — JSON-framed payloads inside benign-looking telemetry POSTs. |
| T1134 | Access Token Manipulation — DuplicateTokenEx + CreateProcessAsUserW for session hijacking. |
| T1078 | Valid Accounts — Use of stolen interactive tokens for lateral movement. |
| T1059.003 | Windows Command Shell — IConsole plugin enables remote command execution. |
| T1083 | File and Directory Discovery — IFileExplorer plugin for remote file browsing. |
| T1057 | Process Discovery — IProcess plugin enumerates and manipulates running processes. |
| T1560 | Archive Collected Data — libzippp and Cabinet APIs compress data for exfiltration. |
| T1543 | Create or Modify System Process — NtCreateUserProcess via native API to spawn child processes. |
| T1070.004 | File Deletion — MoveFileExW with MOVEFILE_DELAY_UNTIL_REBOOT for self-erasure. |
Variants / Aliases
- remotepe (primary label per MalwareBazaar / OpenCTI)
- Attributed to Lazarus Group by some vendors (medium confidence; contested)
Notable Analyses
710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8— May 2024 build, MSVC 14.38, full plugin RTTI recovered, telemetry masquerade documented. See full report:/intel/analyses/710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8.html^[/intel/analyses/710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8.html]62e040a32aac2d2faa8d2bffa2cf7ab662228cebf9bb78eaa0a633c0b729d119— Apr 2024 build, near-identical sibling to 710f1530. Same RTTI, same import profile, same telemetry masquerade, +2.5 KB. See full report:/intel/analyses/62e040a32aac2d2faa8d2bffa2cf7ab662228cebf9bb78eaa0a633c0b729d119.html^[/intel/analyses/62e040a32aac2d2faa8d2bffa2cf7ab662228cebf9bb78eaa0a633c0b729d119.html] |-6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d— Oct 2023 build, MSVC 14.35,SystemFunction001export, earliest sibling in cluster. See/intel/analyses/6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d.html^[/intel/analyses/6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d.html]
Related Entities
- lazarus — Lazarus Group (attribution source)