The Lazarus group, infamous for its effective reconnaissance techniques has come up with a new campaign against South Korea. As per Malwarebytes researchers, the Lazarus group is sending phishing emails containing their data-stealing RAT, and luring targets to run it. Here, the threat actors are hiding their malware in a Bitmap file.

Lazarus Group New Phishing Campaign

For years, the Lazarus group is known for various attacks against nations across the world. It has invaded countries like the US, Japan, South Korea, etc to steal sensitive data for gaining leverage over them. Since sponsored by the North Korean nation, it’s equipped with all the resources to try to come up with new features regularly.

Now, the threat actor is following a new technique to remain undetected – by hiding their malware within a bitmap image file. This was discovered by the researchers at Malwarebytes, who detailed the mechanism of the Lazarus group’s new campaign.

Bmp image malware attack
Bmp image malware attack

Under this, the group starts sending out phishing emails with a file attached, claiming to be an application form for a fair happening in South Korea. To see the contents within, it asks the target to enable macros, which lets the adversary run its malicious code behind it.

According to the researchers, the initial payload is a loader that can decode and decrypt the second payload in the next stage, which is actually a remote access trojan (RAT). Once in, it’s capable of receiving and executing “commands/shellcode as well as perform exfiltration and communications to a command and control server.”

Threat actors here got clever enough to hide their first payload (loader) in the “HTA file as a compressed zlib file within a PNG file“, which is then able to “decompressed during run time by converting itself to the BMP format.” This technique for hiding itself from antivirus detectors makes it more effective.

Other Trending News:-  News


Please enter your comment!
Please enter your name here