Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Fraud Risk Management

Lazarus Group Hid Remote-Access Trojans in Bitmap Images

Hacking Group With Ties to North Korea Used Fresh Tactic to Target South Korea
Lazarus Group Hid Remote-Access Trojans in Bitmap Images
The form Lazarus uses to lure in its victims (Source: Malwarebytes)

The Lazarus group, an offensive hacking team with ties to North Korea, rolled out a new weapon during a recent phishing campaign targeting South Koreans: Image-laden documents containing malicious bitmap files, reports security firm Malwarebytes.

See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack

The malware embedded in the images drops two payloads, and the actual attack takes place after the second has been downloaded. If the attack is successful, the hacker gains the ability to receive and execute commands and shellcode and perform data exfiltration to a command-and-control server, the researchers say.

The obfuscation technique involved essentially buries the malware inside several levels of nested and compressed image and file types.

"The actor has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format," Malwarebytes says.

The Process

Malwarebytes recently acquired a document that it says the Lazarus Group used in an attack against a South Korean target as part of a larger campaign. Malwarebytes gave no details on the number of victims or the period during which the campaign operated.

The attack was initiated with a series of phishing emails that contained a malicious Microsoft Word document named "Application Form," which purported to be a form submitted by someone to host a fair in a South Korean city.

The chain of events leading to the malware injection started when the victim opened the document and then followed the instructions to enable the macro to view it. Then, a pop-up informed the victim that their version of Word was out of date. The attacker hoped to temporarily confuse the victim as the malware then took several actions, including retrieving and decompressing the image files embedded in the malicious zlib object.

"This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images," the researchers say. "The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it's compressed it cannot be detected by static detections."

The act of converting the PNG file to a BMP automatically decompressed the file. At that point, the process dropped an encoded remote access Trojan on the targeted device, which was then decrypted in preparation for stage two.

Second-Stage Payload

Once the payload was loaded into memory by AppStore.exe, it started performing an initialization process. This included checking to see if a mutex named Microsoft 32 - a lock that can lock one thread - existed on the device. If the mutex was discovered, the infection process stopped. But if such a mutex was not found, that meant the device had not previously been infected with the remote access Trojan, so the payload moved ahead with the infection process.

The malware made HTTP requests to its command-and-control servers, whose addresses have been base64-encoded and encrypted using a custom encryption algorithm. The researchers say this custom encryption algorithm is one of several indicators tying the Lazarus Group to this campaign.

The malware then moved on to execute the commands received, which can include dropping shellcode.

Lazarus Group Connections

In addition to the algorithm used during the download process, Malwarebytes cites several other connections to the North Korean-backed group, including:

  • The second-stage payload used a combination of base64 and RC4 for data obfuscation as in previous attacks.
  • The second-stage payload used in this attack had some code similarities to some known Lazarus malware families, including Destover, a wiper that was used in the 2014 attack against Sony that was attributed to North Korea.
  • Sending data and messages as a GIF to a server, as in the latest attack, was previously used in AppleJeus, a supply chain attack against South Korea, and the DreamJob operation.

The Lazarus Group, also known as Hidden Cobra, Dark Seoul, Guardians of Peace and APT38, recently targeted cybersecurity researchers and conducted e-commerce attacks in 2019 and 2020 (see: Lazarus E-Commerce Attackers Also Targeted Cryptocurrency).

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.