Security News > 2021 > April > Lazarus APT Hackers are now using BMP images to hide RAT malware

A spear-phishing attack operated by a North Korean threat actor targeting its southern counterpart has been found to conceal its malicious code within a bitmap image file to drop a remote access trojan capable of stealing sensitive information.

Attributing the attack to the Lazarus Group based on similarities to prior tactics adopted by the adversary, researchers from Malwarebytes said the phishing campaign started by distributing emails laced with a malicious document that it identified on April 13.

"The actor has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format," Malwarebytes researchers said.

"The dropped payload was a loader that decoded and decrypted the second stage payload into memory. The second stage payload has the capability to receive and execute commands/shellcode as well as perform exfiltration and communications to a command and control server."

The payload then proceeds to extract an encrypted second-stage payload appended to itself that's decoded and decrypted at run time, followed by establishing communications with a remote server to receive additional commands and transmit the results of those commands back to the server.

"The Lazarus threat actor is one of the most active and sophisticated North Korean threat actors that has targeted several countries including South Korea, the U.S., and Japan in the past couple of years," the researchers said.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/wHc4_FCN43Y/lazarus-apt-hackers-are-now-using-bmp.html