Lazarus Group's ScoringMathTea RAT: Advanced Espionage Tool

A new technical deep-dive by malware researcher 0x0d4y reveals the inner workings of ScoringMathTea, a sophisticated remote access Trojan (RAT) attributed to the Lazarus Group. The analysis dissects the RAT’s architecture, C2 protocol, API-hiding techniques, custom encryption routines, and a fully manual reflective plugin loader designed to evade modern detection stacks. The RAT initializes a configuration structure, generates pseudo-random seeds using Windows tick counts, and sets up multiple C2 slots. It conceals its command-and-control URL using stack strings and dynamically resolves all required APIs using a custom hashing algorithm and encrypted string table. The RAT maintains a persistent 60-second beacon interval, with a communication loop that attempts to connect to its C2 using a spoofed browser header. Once connected, ScoringMathTea sends a pseudo-randomized beacon generated using rand() to avoid signature-based detection. The response is processed through several layers, including HTML wrapper removal, Base64 decoding, decryption using TEA/XTEA in CBC mode, optional decompression, and command parsing. The agent’s communication with the C&C server operates over HTTP/HTTPS, encoded, encrypted using the TEA/XTEA algorithm in CBC mode, and optionally compressed. This multi-layered structure makes the traffic appear benign while protecting payload integrity. The most sophisticated feature revealed by the analysis is ScoringMathTea’s modular architecture, centered on a full reflective DLL injection system implemented entirely in the malware’s codebase.