Lazarus Group Hid RATs in BMP Images

Malwarebytes researchers report the North Korean advanced persistent threat group Lazarus rolled out a new weapon during a recent phishing campaign targeting South Korea in which the gang incorporated malicious BMP files in an image-laden document.

See Also: Determining the Total Cost of Fraud

The malware embedded in the images drops two payloads, and the actual attack takes place after the second has been downloaded. If the attack is successful, the hacker gains the ability to receive and execute commands and shellcode and perform data exfiltration to a command-and-control server, the researchers say.

The obfuscation technique involved essentially buries the malware inside several levels of nested and compressed image and file types.

“The actor has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format,” Malwarebytes says.

The Process

Malwarebytes recently acquired a document that it says the Lazarus Group used in an attack against a South Korean target as part of a larger campaign. Malwarebytes gave no details on the number of victims or the period during which the campaign operated.

The attack was initiated with a series of phishing emails that contained a malicious Microsoft Word document named “Application Form,” which purported to be a form submitted by someone to host a fair in a South Korean city.

The chain of events leading to the malware injection started when the victim opened the document and then followed the instructions to enable the macro to view it. Then, a pop-up informed the victim that their version of Word was out of date. The attacker hoped to temporarily confuse the victim as the malware then took several actions, including retrieving and decompressing the image files embedded in the malicious zlib object.

“This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images,” the researchers say. “The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it cannot be detected by static detections.”

The act of converting the PNG file to a BMP automatically decompressed the file. At that point, the process dropped an encoded remote access Trojan on the targeted device, which was then decrypted in preparation for stage two.

Second-Stage Payload

Once the payload was loaded into memory by AppStore.exe, it started performing an initialization process. This included checking to see if a mutex named Microsoft 32 – a lock that can lock one thread – existed on the device. If the mutex was discovered, the infection process stopped. But if such a mutex was not found, that meant the device had not previously been infected with the remote access Trojan, so the payload moved ahead with the infection process.

The malware made HTTP requests to its command-and-control servers, whose addresses have been base64-encoded and encrypted using a custom encryption algorithm. The researchers say this custom encryption algorithm is one of several indicators tying the Lazarus Group to this campaign.

The malware then moved on to execute the commands received, which can include dropping shellcode.

Lazarus Group Connections

In addition to the algorithm used during the download process, Malwarebytes cites several other connections to the North Korean-backed group, including:

• The second-stage payload used a combination of base64 and RC4 for data obfuscation as in previous attacks.
• The second-stage payload used in this attack had some code similarities to some known Lazarus malware families, including Destover, a wiper that was used in the 2014 attack against Sony that was attributed to North Korea.
• Sending data and messages as a GIF to a server, as in the latest attack, was previously used in AppleJeus, a supply chain attack against South Korea, and the DreamJob operation.

The Lazarus Group, also known as Hidden Cobra, Dark Seoul, Guardians of Peace and APT38, recently targeted cybersecurity researchers and conducted e-commerce attacks in 2019 and 2020 (see: Lazarus E-Commerce Attackers Also Targeted Cryptocurrency).