BMP images being used by Lazarus APT hackers to hide RAT malware

A spear-phishing attack carried out by a North Korean threat actor targeting its southern counterpart was discovered to hide its malicious code inside a bitmap (.BMP) image file, resulting in the installation of a remote access trojan (RAT) capable of stealing sensitive information.

A spear-phishing attack carried out by a North Korean threat actor targeting its southern counterpart was discovered to hide its malicious code inside a bitmap (.BMP) image file, resulting in the installation of a remote access trojan (RAT) capable of stealing sensitive information.

Researchers from Malwarebytes said the phishing campaign began by spreading emails laced with a malicious document that it detected on April 13. They attributed the attack to the Lazarus Group based on similarities to previous strategies used by the adversary.

"The actor has used a clever method to circumvent protection mechanisms by embedding its malicious HTA file as a compressed zlib file inside a PNG file, which was then decompressed during run time by converting itself to the BMP format," Malwarebytes researchers said.

"A loader was dropped as part of the payload, which decoded and decrypted the second stage payload and stored it in memory. The payload in the second stage will receive and execute commands/shellcode, as well as exfiltrate data and communicate with a command and control server."

The lure document (in Korean) was created on March 31, 2021, and it pretends to be an application type for a fair in one of South Korea's cities. When users open it for the first time, it prompts them to allow macros, only to execute the attack code that starts the infection chain, eventually dropping an executable named "AppStore.exe."

After that, the payload extracts an encrypted second-stage payload that's appended to itself and decoded and decrypted at runtime, then establishes connections with a remote server to receive additional commands and relay the results of those commands back to the server.

"The Lazarus threat actor is one of North Korea's most prominent and advanced threat actors, having threatened many countries in recent years, including South Korea, the United States, and Japan," the researchers said. "In order to improve the efficacy of its attacks, Lazarus is known to use new techniques and custom toolkits."