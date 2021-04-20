



The Lazarus Group has tweaked loader obfuscation techniques by abusing image files in recent phishing campaigns.

Lazarus is a highly persistent threat (APT) group of North Korea’s state support.

Known as one of the most prolific and sophisticated APTs in the world, Lazarus has been in operation for over a decade and is a global attack, including WannaCry ransomware outbreaks, bank thefts, and cryptocurrency exchange attacks. Is believed to be responsible for.

South Korean organizations are a consistent target of Lazarus, but APT dates back to cyberattacks in the United States and, more recently, South Africa.

In a campaign documented by Malwarebytes on April 13, phishing documents due to Lazarus revealed the use of an interesting technique designed to obfuscate the payload of image files.

The attack chain begins with a phishing Microsoft Office document (.doc) and a Korean lure. The intended victim is asked to enable macros to display the contents of the file. This will trigger a malicious payload.

The macro displays a pop-up message claiming to be an older version of Office, but instead calls an executable HTA file compressed as a zlib file within the overall PNG image file.

During decompression, the PNG is converted to BMP format and when triggered, the HTA drops a remote access Trojan (RAT) loader stored as “AppStore.exe” on the target machine.

“This is a clever method used by actors to bypass security mechanisms that can detect objects embedded in images,” says researchers. “The reason is that the document contains a PNG image containing a compressed zlib malicious object that is compressed and cannot be detected by static detection. Then the attacker uses a simple conversion mechanism. And unzipped the malicious content. ”

RAT can link to a command and control (C2) server, receive commands, and drop shellcode. The communication between the malware and C2 is base64 encoded and encrypted using a custom encryption algorithm previously linked to Lazarus’ Bistromath RAT.

In related news, Google’s Threat Analysis Group (TAG) warned earlier this month that North Korean threat actors are targeting security researchers across social media. First discovered in January, the scheme includes fake profile webs, browser exploits, and fake offensive security companies.

