Lazarus APT hides malicious code in BMP to Drop its RAT

Researchers discovered on April 13 that Lazarus organized a phishing campaign targeting South Korea. The embeds the malicious HTA file as a compressed zlib file into the PNG file, and then converts it to the BMP format for decompression during runtime, thereby releasing a remote access Trojan that can steal sensitive information.

The overall attack process is as follows:


The Korean decoy document used by the was worn on March 31, 2021, and the content was an application form related to a city fair in South Korea.


The document prompts the user to enable the macro when it is opened for the first time. Once enabled, the macro code that triggers the infection chain will be executed, and an executable file named “AppStore.exe” is finally deleted.

Then, the payload continues to extract the second-stage encrypted payload attached to itself, decodes and decrypts it at runtime, and then establishes communication with the remote server to receive other commands, and sends the results of these commands back to the server.

This attack has many similarities with the previous actions of the Lazarus group, and the researchers believe that these are powerful indicators that attribute the attack to the Lazarus group.

● The second stage payload uses a similar custom encryption algorithm used by the BISTROMATH RAT associated with this Lazarus.

● The second stage payload uses a combination of and RC4 for data obfuscation, which is a common technique used by Lazarus.

● The second stage payload used in the attack has some code similarities with some known Lazarus families (including Destover).
● In the past malicious activities of Lazarus, including AppleJeus, supply chain attacks against South Korea and DreamJob operations have observed data and messages sent to the server as GIFs.
● This phishing attack is mainly aimed at South Korea, which is one of the main targets of the organization.
● The group is known to use Mshta.exe to run malicious scripts and download programs, similar to the programs used in the attack.

Lazarus is one of North Korea’s most active and complex threat group. In the past few years, it has attacked many countries including South Korea, the United States and Japan. The group will develop custom families and use new technologies in its operations.