Lazarus APT Hackers are now using BMP images to hide RAT malware

A spear-phishing attack operated by a North Korean menace actor concentrating on its southern counterpart has been discovered to conceal its destructive code inside a bitmap (.BMP) image file to fall a distant access trojan (RAT) capable of thieving sensitive data.

Attributing the attack to the Lazarus Team dependent on similarities to prior strategies adopted by the adversary, scientists from Malwarebytes stated the phishing campaign begun by distributing e-mails laced with a malicious document that it recognized on April 13.

password auditor

“The actor has applied a clever approach to bypass security mechanisms in which it has embedded its destructive HTA file as a compressed zlib file inside of a PNG file that then has been decompressed through run time by changing by itself to the BMP structure,” Malwarebytes scientists mentioned.

“The dropped payload was a loader that decoded and decrypted the 2nd stage payload into memory. The 2nd stage payload has the capability to receive and execute commands/shellcode as perfectly as conduct exfiltration and communications to a command and command server.”

Established on March 31, 2021, the lure doc (in Korean) purports to be a participation software sort for a fair in 1 of the South Korean cities and prompts people to allow macros on opening it for the first time, only to execute the assault code that triggers the an infection chain, finally dropping an executable known as “AppStore.exe.”

password auditor

The payload then proceeds to extract an encrypted next-stage payload appended to alone that is decoded and decrypted at operate time, followed by developing communications with a remote server to obtain more commands and transmit the success of all those commands again to the server.

“The Lazarus danger actor is 1 of the most energetic and innovative North Korean danger actors that has specific quite a few countries like South Korea, the U.S., and Japan in the past pair of several years,” the scientists claimed. “Lazarus is identified to employ new strategies and personalized toolsets in its operations to maximize the efficiency of its attacks.”

Fibo Quantum