A spear-phishing assault operated by a North Korean risk actor focusing on its southern counterpart has been discovered to hide its malicious code inside a bitmap (.BMP) picture file to drop a distant entry trojan (RAT) able to stealing delicate data.
Attributing the assault to theprimarily based on similarities to prior ways adopted by the adversary, researchers from Malwarebytes stated the phishing marketing campaign began by distributing emails laced with a malicious doc that it recognized on April 13.
“The actor has used a intelligent methodology to bypass safety mechanisms during which it has embedded its maliciousfile as a compressed file inside a PNG file that then has been decompressed throughout run time by changing itself to the BMP format,” Malwarebytes researchers .
“The dropped payload was a loader that decoded and decrypted the second stage payload into reminiscence. The second stage payload has the aptitude to obtain and execute instructions/shellcode in addition to carry out exfiltration and communications to a command and management server.”
Created on March 31, 2021, the lure doc (in Korean) purports to be a participation software kind for a good in one of many South Korean cities and prompts customers to allow macros upon opening it for the primary time, solely to execute the assault code that triggers the an infection chain, finally dropping an executable referred to as “AppStore.exe.”
The payload then proceeds to extract an encrypted second-stage payload appended to itself that is decoded and decrypted at run time, adopted by establishing communications with a distant server to obtain extra instructions and transmit the outcomes of these instructions again to the server.
“The Lazarus risk actor is likely one of the most energetic and complicated North Korean risk actors that has focused a number of nations together with South Korea, the U.S., and Japan prior to now couple of years,” the researchers stated. “Lazarus is understood to make use of new methods and customized toolsets in its operations to extend the effectiveness of its assaults.”