Beware of a New Malware Campaign that Hides Malicious code within BMP Image

Lazarus APT is one of the most sophisticated North Korean Threat Actors that has been active since at least 2009.

This actor is known to target the U.S., South Korea, Japan, and several other countries. In one of their most recent campaigns, Lazarus used a complex targeted phishing attack against security researchers.

Experts from Malwarebytes have revealed a spear-phishing attack carried out by a North Korea-linked Lazarus APT group that obfuscated a malicious code within a bitmap (.BMP) image file.

Lazarus is known to employ new techniques and custom toolsets in its operations to increase the effectiveness of its attacks.

The Process of the Attack

Process Graph

This attack possibly started by distributing phishing emails that were weaponized with a malicious document. Opening the document shows a blue theme in Korean that asks the user to enable the macro to view the document.

Upon enabling the macro, a message box will pop up and after clicking the final lure will be loaded.

“The document name is in Korean “참가신청서양식.doc” and it is a participation application form for a fair in one of the South Korean cities. The document creation time is 31 March 2021 which indicates that the attack happened around the same time”, according to the analysis published by MalwareBytes.

The document has been weaponized with a macro that is executed upon opening. The macro starts by calling the MsgBoxOKCancel function. This function pops up a message box to the user with a message claiming to be an older version of Microsoft Office.

In the background, the macro calls an executable HTA file compressed as a zlib file that is included within an overall PNG image file. The macro also converts the image in PNG format into BMP format by invoking the WIA_ConvertImage function.

Experts pointed out that converting a PNG file format into a BMP file format automatically decompresses the malicious zlib object embedded from PNG to BMP since the BMP file format is the uncompressed graphics file format.

Using this trick, attackers can avoid the detection of embedded objects within images.

The executable HTA file drops a loader for a Remote Access Trojan (RAT), which is stored as “AppStore.exe” on the target machine. The RAT connects the command-and-control (C2) server to receive commands and drop shellcode.

Researchers found many similarities between this campaign and past Lazarus operations, for instance, the second stage payload has used the similar custom encryption algorithm that has been used by BISTROMATH RAT associated with Lazarus.

Final Word

Experts say that the actor has used an intelligent method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format.

The second stage payload can receive and execute commands/shellcode as well as perform exfiltration and communications to a command and control server.

Also Read

Dridex Network Attack Campaign Delivered by Cutwail Botnet and Poisonous PowerShell Scripts

Hackers Steal Outlook Passwords Via Overlay Screens on Legitimate Sites

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.