The North Korean state-sponsored operation is conducting a spear-phishing attack targeting its southern counterpart. The Lazarus Group has been found to hide its malicious code within a bitmap (.BMP) image file to drop a remote access trojan (RAT) capable of stealing sensitive information.

According to Malwarebytes researchers, the phishing campaign started by distributing emails laced with a malicious document that they identified on April 13th.

The actor has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format. The dropped payload was a loader that decoded and decrypted the second stage payload into memory. The second stage payload has the capability to receive and execute commands/shellcode as well as perform exfiltration and communications to a command and control server.


The attack chain begins with a phishing Microsoft Office document (참가신청서양식.doc) and a lure in the Korean language. The lure document implies to be a participation app form for a fair in one of the South Korean cities and asks users to enable macros upon opening it for the first time, only to execute the attack code that triggers the infection chain. It ultimately drops an executable called “AppStore.exe.”

lazarus group bpm malware attack heimdal security

Image Source: The Hacker News

According to data journalist Ravie Lakshmanan, the payload then proceeds to extract an encrypted second-stage payload appended to itself that’s decoded and decrypted at run time. Afterward, it establishes communications with a remote server to receive additional commands and transmit the results of those commands back to the server.

The malware is able to link up to a command-and-control (C2) server, receive commands, and drop shellcode. Communication between the RAT and C2 is base64 encoded and encrypted using a custom encryption algorithm that has previously been linked to Lazarus’ Bistromath RAT.

Earlier this month, Google’s Threat Analysis Group (TAG) warned that North Korean threat actors have set up a fake security company and social media accounts as part of a broad campaign targeting cybersecurity researchers with malware linked to the Lazarus Group.

Active since at least 2009, Lazarus has also been linked to ransomware campaigns, cyber espionage, and cryptocurrency fraud scams. They have also used COVID19-themed spear-phishing emails with malicious attachments or links as the initial access vector to the companies’ enterprise network.

What is Spear Phishing? Definition, Examples, Prevention Strategies

New Vyveva Malware Used by Lazarus Hacking Group to Attack South African Freight

The Lazarus Group Targeted Cybersecurity Researchers Again, Google Says

The Lazarus Group Used Custom Malware to Target Defense Industry

Leave a Reply

Your email address will not be published. Required fields are marked *