The Lazarus group has improved its loader obfuscation techniques in a recent phishing campaign by abusing image files.
Lazarus, the state-sponsored advanced persistent threat (APT) group from North Korea has been in operation for over a decade and is believed to be responsible for worldwide attacks such as the WannaCry ransomware outbreak, bank thefts, and assaults against cryptocurrency exchanges.
South Korean organizations are consistent targets for Lazarus, although the APT has also been traced back to cyberattacks in the US and, more recently, South Africa.
In a recent campaign reported by Malwarebytes on April 13, a phishing document attributed to Lazarus revealed the use of a new technique designed to obfuscate payloads in image files.
The attack chain begins with a phishing Microsoft Office document and a lure in the Korean language. The victims are asked to enable macros in order to view the file’s content, which, in turn, triggers a malicious payload.
The macro brings up a pop-up message which claims to be an old version of Office, but instead, calls an executable HTA file compressed as a zlib file within an overall PNG image file.
During decompression, the PNG is converted to the BMP format, and once triggered, the HTA drops a loader for a Remote Access Trojan (RAT), stored as “AppStore.exe” on the target machine.
The researchers stated that it is a brilliant method used by the attackers to bypass security mechanisms that can detect embedded objects within images. The document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can’t be detected by static detections. Then the attacker has to just use a simple conversion mechanism to decompress the malicious content.
The RAT is able to link up to a command-and-control (C2) server, receive commands, and drop shellcode. Communication between the malware and C2 is base64 encoded and encrypted using a custom encryption algorithm that has previously been linked to Lazarus’ Bistromath RAT.