A spear-phishing attack operated by a North Korean threat actor targeting its southern counterpart has been found to conceal its malicious code within a bitmap (.BMP) image file to drop a remote access trojan (RAT) capable of stealing sensitive information.
Attributing the attack to the Lazarus Group based on similarities to prior tactics adopted by the adversary, researchers from Malwarebytes said the phishing campaign started by distributing emails laced with a malicious document that it identified on April 13.
“The actor has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format,” Malwarebytes researchers said.
“The dropped payload was a loader that decoded and decrypted the second stage payload into memory. The second stage payload has the capability to receive and execute commands/shellcode as well as perform exfiltration and communications to a command and control server.”
Created on March 31, 2021, the lure document (in Korean) purports to be a participation application form for a fair in one of the South Korean cities and prompts users to enable macros upon opening it for the first time, only to execute the attack code that triggers the infection chain, ultimately dropping an executable called “AppStore.exe.”
The payload then proceeds to extract an encrypted second-stage payload appended to itself that’s decoded and decrypted at run time, followed by establishing communications with a remote server to receive additional commands and transmit the results of those commands back to the server.
“The Lazarus threat actor is one of the most active and sophisticated North Korean threat actors that has targeted several countries including South Korea, the U.S., and Japan in the past couple of years,” the researchers said. “Lazarus is known to employ new techniques and custom toolsets in its operations to increase the effectiveness of its attacks.”