North Korea-linked Lazarus APT hides malicious code within BMP image to avoid detection

North Korea-linked Lazarus APT hides malicious code within BMP image to avoid detection

North Korea-linked Lazarus APT group is abusing bitmap (.BMP) image files in a recent spear-phishing campaign targeting entities in South Korea. 

Experts from Malwarebytes have uncovered a spear-phishing attack conducted by a North Korea-linked Lazarus APT group that obfuscated a malicious code within a bitmap (.BMP) image file.

The malicious code within the bitmap image file was used by threat actors to drop a remote access trojan (RAT) on the victims’ systems that allow them to steal sensitive information.

The activity of the Lazarus APT group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

According to a report published by Kaspersky Lab in January 2020, in the two years the North Korea-linked APT group has continued to target cryptocurrency exchanges evolving its TTPs.

In December 2020, the North Korea-linked Lazarus APT group has launched cyberattacks against at least two organizations involved in COVID-19 research.

The attack chain related to the spear-phishing campaign documented by MalwareBytes begins using a weaponized Microsoft Office document in the Korean language. The email attempts to trick victims into enabling the macros in order to view the content, but once enabled the macros in order a malicious code is executed. 

“Upon enabling the macro, a message box will pop up and after clicking the final lure will be loaded.” reads the analysis published by MalwareBytes. “The document name is in Korean “참가신청서양식.doc” and it is a participation application form for a fair in one of the South Korean cities. The document creation time is 31 March 2021 which indicates that the attack happened around the same time. The document has been weaponized with a macro that is executed upon opening.”

Lazarus APT phishing

The macro first calls MsgBoxOKCancel function that pops up a message box to the user with a message claiming to be an older version of Microsoft Office.

In the background, the macro calls an executable HTA file compressed as a zlib file that is included within an overall PNG image file. 

The macro also converts the image in PNG format into BMP format by invoking the WIA_ConvertImage function. Experts pointed out that converting a PNG file format into BMP file format automatically decompresses the malicious zlib object embedded from PNG to BMP because the BMP file format is uncompressed graphics file format.

Using this trick, attackers can avoid the detection of embedded objects within images.

“The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.” states the analysis.

The HTA drops a loader for a Remote Access Trojan (RAT), which is stored as “AppStore.exe” on the target machine.  

The RAT connects the command-and-control (C2) server to receive commands and drop shellcode.

Experts found many similarities between this campaign and past Lazarus operations, for example the second stage payload has used the similar custom encryption algorithm that has been used by BISTROMATH RAT associated to Lazarus.

“The actor has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format.” concludes the report. “The dropped payload was a loader that decoded and decrypted the second stage payload into memory. The second stage payload has the capability to receive and execute commands/shellcode as well as perform exfiltration and communications to a command and control server.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus APT)

Leave a Reply

Your email address will not be published. Required fields are marked *