Notice: The information in this report is a synopsis of the source articles.  For in depth information please refer to the source cited at the end of each article.


171 Comply Cyber Alert

Date: 20 April 2021

Title:  Lazarus hacking group now hides payloads in BMP image files

Lazarus is a state-sponsored advanced persistent threat (APT) group from North Korea.    Lazarus has been in operation for over a decade and is considered responsible for worldwide attacks including the WannaCry ransomware outbreak, bank thefts, and assaults against cryptocurrency exchanges.

In a campaign documented by Malwarebytes on April 13, a phishing document attributed to Lazarus revealed the use of an interesting technique designed to obfuscate payloads in image files.  The attack chain begins with a phishing Microsoft Office document (참가신청서양식.doc) and a lure in the Korean language.  Intended victims are asked to enable macros in order to view the file’s content, which, in turn, triggers a malicious payload.  The macro brings up a pop-up message which claims to be an old version of Office, but instead, calls an executable HTA file compressed as a zlib file within an overall PNG image file.  During decompression, the PNG is converted to the BMP format, and once triggered, the HTA drops a loader for a Remote Access Trojan (RAT), stored as “AppStore.exe” on the target machine.  The document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content

What to do?

Train your staff to recognize phishing Email and phishing techniques.

Ensure your anti-virus and malware software is operational and up to date

What can you do to when this happens to you?

If you find your network has been compromised immediately shut down and find the source of the breach.

Take steps to mitigate any virus or malware

If data has been compromised and/or exfiltrated notify all interested parties.

Rebuild the network from a known clean backup


Lazarus hacking group now hides payloads in BMP image files | ZDNet

Charlie Osborne for Zero Day | April 20, 2021