The Lazarus Group Now Uses BMP Images to Hide RAT Malware
The North Korean Advanced Persistent Threat (APT) Has Leveled Up Its Fraudulent Techniques by Abusing Image Files in A Recent Phishing Attack.
The North Korean state-sponsored operation is conducting a spear-phishing attack targeting its southern counterpart. The Lazarus Group has been found to hide its malicious code within a bitmap (.BMP) image file to drop a remote access trojan (RAT) capable of stealing sensitive information.
According to Malwarebytes researchers, the phishing campaign started by distributing emails laced with a malicious document that they identified on April 13th.
The actor has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format. The dropped payload was a loader that decoded and decrypted the second stage payload into memory. The second stage payload has the capability to receive and execute commands/shellcode as well as perform exfiltration and communications to a command and control server.
The attack chain begins with a phishing Microsoft Office document (참가신청서양식.doc) and a lure in the Korean language. The lure document implies to be a participation app form for a fair in one of the South Korean cities and asks users to enable macros upon opening it for the first time, only to execute the attack code that triggers the infection chain. It ultimately drops an executable called “AppStore.exe.”
Image Source: The Hacker News
According to data journalist Ravie Lakshmanan, the payload then proceeds to extract an encrypted second-stage payload appended to itself that’s decoded and decrypted at run time. Afterward, it establishes communications with a remote server to receive additional commands and transmit the results of those commands back to the server.
The malware is able to link up to a command-and-control (C2) server, receive commands, and drop shellcode. Communication between the RAT and C2 is base64 encoded and encrypted using a custom encryption algorithm that has previously been linked to Lazarus’ Bistromath RAT.
Earlier this month, Google’s Threat Analysis Group (TAG) warned that North Korean threat actors have set up a fake security company and social media accounts as part of a broad campaign targeting cybersecurity researchers with malware linked to the Lazarus Group.
Active since at least 2009, Lazarus has also been linked to ransomware campaigns, cyber espionage, and cryptocurrency fraud scams. They have also used COVID19-themed spear-phishing emails with malicious attachments or links as the initial access vector to the companies’ enterprise network.