Lazarus group uses an interesting technique to obfuscate payloads in BMP image files delivered to victims in phishing documents and ultimately drop Trojans.
The new obfuscation techniques were detected in a campaign attributed to Lazarus and documented by Malwarebytes on April 13, the cybersecurity firm writes.
Lazarus is a Korea-sponsored advanced persistent threat group known to have been in operation for over a decade and is considered responsible for high-profile campaigns including the WannaCry ransomware attacks, assaults against banks and cryptocurrency exchanges.
The recent attacks started with a phishing document in Microsoft Office format (참가신청서양식.doc) and some text in Korean. Targeted individuals have to enable macros in order to view the file’s content. The macro shows a pop-up message about an outdated version of Office.
Attackers use a smart obfuscation technique in which they hid the malicious payload in a compressed object inside BMP file that can’t be analyzed by antivirus software.
“This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images,” the researchers say. “The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.”
Upon granting download, the file gets an executable HTA file compressed as a zlib file hidden inside a PNG image file. PNG is then converted to the BMP format, after which, the HTA runs a downloader for a Remote Access Trojan (RAT) stored as “AppStore.exe” on the compromised computer.
The RAT can establish a connection with a command-and-control (C2) server, receive commands, and drop shellcode. Communication between the malware and C2 is encrypted with an algorithm that has previously been connected to Lazarus’ Bistromath RAT.