20 April 2021

Lazarus APT has found a clever way to conceal its malicious code


Lazarus APT has found a clever way to conceal its malicious code

Lazarus APT, a North Korean threat actor known for its sophisticated attacks, has been observed using a clever method to bypass security mechanisms by hiding its malicious code within a bitmap (.BMP) image file used to drop a remote access trojan (RAT) capable of stealing sensitive information.

According to researchers at Malwarebytes Labs, in the recent phishing campaign Lazarus distributed email laced with a malicious MS Word document (in Korean), which purported to be a participation application form for a fair in one of the South Korean cities. To view the document, users are prompted to enable macros, which triggers the infection chain and ultimately leads to downloading an executable called "AppStore.exe."

This executable then proceeds to download and execute the second stage payload, which checks whether the victim machine has not been infected by this RAT (if not its starts its malicious activities), and establishes connection to its command and control server to receive commands.

The researchers attributed the observed phishing campaign to Lazarus based on several similarities between this attacks and previous operations linked to the group, such as the use of BISTROMATH RAT, some code similarities with some of known Lazarus malware families including Destover, as well as the use of a combination of base64 and RC4 for data obfuscation which is a common technique used by Lazarus.

“The actor has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format. The dropped payload was a loader that decoded and decrypted the second stage payload into memory. The second stage payload has the capability to receive and execute commands/shellcode as well as perform exfiltration and communications to a command and control server,” the researchers wrote.

“The Lazarus threat actor is one of the most active and sophisticated North Korean threat actors that has targeted several countries including South Korea, the U.S. and Japan in the past couple of years. The group is known to develop custom malware families and use new techniques in its operations.”

Back to the list

Latest Posts

One of the US’ largest pipelines halts operations after a ransomware attack

One of the US’ largest pipelines halts operations after a ransomware attack

The "DarkSide" criminal group is believed to be behind the ransomware attack.
10 May 2021
TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

The attacks were highly targeted and delivered to less than 10 victims around the world, including large diplomatic organizations in South-East Asia and Africa.
10 May 2021
A bio research institute got infected with Ryuk ransomware because of pirated software

A bio research institute got infected with Ryuk ransomware because of pirated software

The student who wouldn’t pay for licensed software unwittingly opened a door to the ransomware.
10 May 2021