lazarus

Lazarus APT hides malicious code in BMP to Drop its RAT

Researchers discovered on April 13 that Lazarus organized a phishing campaign targeting South Korea. The embeds the malicious HTA file as a compressed zlib file into the PNG file, and then converts it to the BMP format for decompression during runtime, thereby releasing a remote access Trojan that can steal sensitive information.

The overall attack process is as follows:

lazarus

The Korean decoy document used by the was worn on March 31, 2021, and the content was an application form related to a city fair in South Korea.

lazarus

The document prompts the user to enable the macro when it is opened for the first time. Once enabled, the macro code that triggers the infection chain will be executed, and an executable file named “AppStore.exe” is finally deleted.

Then, the payload continues to extract the second-stage encrypted payload attached to itself, decodes and decrypts it at runtime, and then establishes communication with the remote server to receive other commands, and sends the results of these commands back to the server.

This attack has many similarities with the previous actions of the Lazarus group, and the researchers believe that these are powerful indicators that attribute the attack to the Lazarus group.

● The second stage payload uses a similar custom encryption algorithm used by the BISTROMATH RAT associated with this Lazarus.

● The second stage payload uses a combination of and RC4 for data obfuscation, which is a common technique used by Lazarus.

● The second stage payload used in the attack has some code similarities with some known Lazarus families (including Destover).
● In the past malicious activities of Lazarus, including AppleJeus, supply chain attacks against South Korea and DreamJob operations have observed data and messages sent to the server as GIFs.
● This phishing attack is mainly aimed at South Korea, which is one of the main targets of the organization.
● The group is known to use Mshta.exe to run malicious scripts and download programs, similar to the programs used in the attack.

Lazarus is one of North Korea’s most active and complex threat group. In the past few years, it has attacked many countries including South Korea, the United States and Japan. The group will develop custom families and use new technologies in its operations.

IOCs

jinjinpig.co.kr
mail.namusoft.kr


ed9aa858ba2c4671ca373496a4dd05d4
118cfa75e386ed45bec297f8865de671
997885451c6629d5da8fd9bd70f0f9977eb8787a
43ef1dd0097da941dbcf64f00a790d6aae3a82f4
F1EED93E555A0A33C7FEF74084A6F8D06A92079E9F57114F523353D877226D72
ED5FBEFD61A72EC9F8A5EBD7FA7BCD632EC55F04BDD4A4E24686EDCCB0268E05