Lazarus Now Uses BMP Images To Deliver RATs

Lazarus Now Uses BMP Images To Deliver RATs

Lazarus group uses an interesting technique to obfuscate payloads in BMP image files delivered to victims in phishing documents and ultimately drop Trojans. 

The new obfuscation techniques were detected in a campaign attributed to Lazarus and documented by Malwarebytes on April 13, the cybersecurity firm writes.

Lazarus is a Korea-sponsored advanced persistent threat group known to have been in operation for over a decade and is considered responsible for high-profile campaigns including the WannaCry ransomware attacks, assaults against banks and cryptocurrency exchanges. 

The recent attacks started with a phishing document in Microsoft Office format (참가신청서양식.doc) and some text in Korean. Targeted individuals have to enable macros in order to view the file’s content. The macro shows a pop-up message about an outdated version of Office. 

Attackers use a smart obfuscation technique in which they hid the malicious payload in a compressed object inside BMP file that can’t be analyzed by antivirus software.

“This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images,” the researchers say. “The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.”

Upon granting download, the file gets an executable HTA file compressed as a zlib file hidden inside a PNG image file. PNG is then converted to the BMP format, after which, the HTA runs a downloader for a Remote Access Trojan (RAT) stored as “AppStore.exe” on the compromised computer.

The RAT can establish a connection with a command-and-control (C2) server, receive commands, and drop shellcode. Communication between the malware and C2 is encrypted with an algorithm that has previously been connected to Lazarus’ Bistromath RAT.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.