The Lazarus threat group has updated its detection-evasion techniques by concealing its malware loaders in bitmap image (BMP) files as part of a recent spear-phishing attack.
Researchers with Malwarebytes in a new report observed the advanced persistent threat (APT) group utilizing the technique to target victims in South Korea. Hossein Jazi, senior threat intelligence analyst with Malwarebytes, said that he has observed three malicious documents associated with the campaign, which he believes occurred between late March and early April.
“Lazarus is known to employ new techniques and custom toolsets in its operations to increase the effectiveness of its attacks,” said Jazi. “In this campaign, Lazarus resorted to an interesting technique of BMP files embedded with malicious HTA objects to drop its loader.”
Though they only analyzed the malicious documents, researchers believe the attack likely started via spear-phishing emails. The attached Microsoft Office documents ask the victim to enable macros. Once enabled, victims see a second document, purporting to be either a participation application form for a fair in a city in South Korea, or living expense payments - which both point to the types of lures possibly used in the initial email. The macro also calls the MsgBoxOKCancel function, which shows a message to the user claiming that they are using an older version of Microsoft Office.
In the background, the macro then calls an executable HTML Application (HTA) - a Microsoft Windows program with source code consisting of HTML - compressed as a zlib file within an overall PNG image file. The PNG image is then converted to the BMP format, using WIA_ConvertImage.
Because the BMP file format is an uncompressed graphics file format, converting a PNG file format into a BMP file format automatically decompresses the embedded, malicious zlib object, said Jazi.
“This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images,” said Jazi. “The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.”
“This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images."
The use of WIA_ConvertImage to convert the PNG file is also noteworthy, he said, as this is a legitimate image conversion algorithm that likely won’t raise any red flags.
Finally, the function retrieves a WMI object, which calls Mshta - a utility for executing HTA files - to execute the BMP file. Once the BMP file is decompressed, the HTA file executes JavaScript to drop a loader, stored as “AppStore.exe.” The second-stage payload of this loader then makes HTTP requests to the command-and-control (C2) servers, allowing it to receive commands from the bad actors. These commands include gathering information from the machine and sending exfiltrated data to the C2 server, said Jazi.
The use of seemingly-benign images to cloak malware, or steganography, is not new, as seen in previous malware campaigns. Researchers in 2019, for instance, discovered a Cardinal RAT sample compiled with .NET and containing an embedded BMP file. ObliqueRAT, similarly, was spotted in March hidden in BMP images that were hosted on compromised websites.
While embedding objects within images is not a new technique, Jazi said he has not typically seen cybercriminals embedding compressed HTA objects into PNG files, and converting them to BMP in order to decompress the embedded object.
Researchers pointed to several similarities between this campaign and previous Lazarus operations. For instance, the second-stage payload in the attack had some code similarities to known Lazarus malware families, like the Destover malware. It also used a combination of base64 and RC4 for obfuscation, as well as a custom encryption algorithm, both of which have been used previously by Lazarus.
The North Korean threat group (also known as Hidden Cobra and APT38), which has been active since 2009, has been known to target various countries with cryptocurrency, phishing and malware attacks. The campaign shows how the Lazarus group continues to update its tactics. Recently, the threat group also infected several e-commerce shops with an undocumented, modified JavaScript sniffer that aimed to steal cryptocurrency from online consumers.
“The Lazarus threat actor is one of the most active and sophisticated North Korean threat actors that has targeted several countries including South Korea, the U.S. and Japan in the past couple of years,” said Jazi. “The group is known to develop custom malware families and use new techniques in its operations.”