Lazarus APT, a North Korean threat actor known for its sophisticated attacks, has been observed using a clever method to bypass security mechanisms by hiding its malicious code within a bitmap (.BMP) image file used to drop a remote access trojan (RAT) capable of stealing sensitive information.
According to researchers at Malwarebytes Labs, in the recent phishing campaign Lazarus distributed email laced with a malicious MS Word document (in Korean), which purported to be a participation application form for a fair in one of the South Korean cities. To view the document, users are prompted to enable macros, which triggers the infection chain and ultimately leads to downloading an executable called "AppStore.exe."
This executable then proceeds to download and execute the second stage payload, which checks whether the victim machine has not been infected by this RAT (if not its starts its malicious activities), and establishes connection to its command and control server to receive commands.
The researchers attributed the observed phishing campaign to Lazarus based on several similarities between this attacks and previous operations linked to the group, such as the use of BISTROMATH RAT, some code similarities with some of known Lazarus malware families including Destover, as well as the use of a combination of base64 and RC4 for data obfuscation which is a common technique used by Lazarus.
“The actor has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format. The dropped payload was a loader that decoded and decrypted the second stage payload into memory. The second stage payload has the capability to receive and execute commands/shellcode as well as perform exfiltration and communications to a command and control server,” the researchers wrote.
“The Lazarus threat actor is one of the most active and sophisticated North Korean threat actors that has targeted several countries including South Korea, the U.S. and Japan in the past couple of years. The group is known to develop custom malware families and use new techniques in its operations.”