A spear-phishing assault operated by a North Korean menace actor concentrating on its southern counterpart has been discovered to hide its malicious code inside a bitmap (.BMP) picture file to drop a distant entry trojan (RAT) able to stealing delicate info.
Attributing the assault to the Lazarus Group primarily based on similarities to prior techniques adopted by the adversary, researchers from Malwarebytes mentioned the phishing marketing campaign began by distributing emails laced with a malicious doc that it recognized on April 13.
“The actor has used a intelligent technique to bypass safety mechanisms during which it has embedded its malicious HTA file as a compressed zlib file inside a PNG file that then has been decompressed throughout run time by changing itself to the BMP format,” Malwarebytes researchers said.
“The dropped payload was a loader that decoded and decrypted the second stage payload into reminiscence. The second stage payload has the potential to obtain and execute instructions/shellcode in addition to carry out exfiltration and communications to a command and management server.”
Created on March 31, 2021, the lure doc (in Korean) purports to be a participation utility kind for a good in one of many South Korean cities and prompts customers to allow macros upon opening it for the primary time, solely to execute the assault code that triggers the an infection chain, in the end dropping an executable referred to as “AppStore.exe.”
The payload then proceeds to extract an encrypted second-stage payload appended to itself that is decoded and decrypted at run time, adopted by establishing communications with a distant server to obtain further instructions and transmit the outcomes of these instructions again to the server.
“The Lazarus menace actor is without doubt one of the most energetic and complicated North Korean menace actors that has focused a number of international locations together with South Korea, the U.S., and Japan previously couple of years,” the researchers mentioned. “Lazarus is thought to make use of new strategies and customized toolsets in its operations to extend the effectiveness of its assaults.”