TheSnakeEatingMarkhur
SENIOR MEMBER
- Joined
- Dec 26, 2018
- Messages
- 3,742
- Reaction score
- 10
- Country
- Location
Lazarus APT conceals malicious code within BMP image to drop its RAT
 Threat Intelligence Team
11 hours ago
This blog was authored by Hossein Jazi
Lazarus APT is one of the most sophisticated North Korean Threat Actors that has been active since at least 2009. This actor is known to target the U.S., South Korea, Japan and several other countries. In one of their most recent campaigns Lazarus used a complex targeted phishing attack against security researchers.
Lazarus is known to employ new techniques and custom toolsets in its operations to increase the effectiveness of its attacks. On April 13, we identified a document used by this actor to target South Korea. In this campaign, Lazarus resorted to an interesting technique of BMP files embedded with malicious HTA objects to drop its Loader.
Process Graph
This attack likely started by distributing phishing emails that were weaponized with a malicious document. The following figure shows the overall process of this attack. In the next sections, we provide the detailed analysis of this process.


Figure 1: Process graph
Document Analysis
Opening the document shows a blue theme in Korean that asks the user to enable the macro to view the document.


Figure 2: Blue theme
Upon enabling the macro, a message box will pop up and after clicking the final lure will be loaded.


Figure 3: Lure form
The document name is in Korean “참가신청서양식.doc” and it is a participation application form for a fair in one of the South Korean cities. The document creation time is 31 March 2021 which indicates that the attack happened around the same time.
The document has been weaponized with a macro that is executed upon opening.


Figure 4: Macro
The macro starts by calling MsgBoxOKCancel function. This function pops up a message box to the user with a message claiming to be an older version of Microsoft Office. After showing the message box, it performs the following steps:


Figure 5: Document_Open
Defines the required variables such as WMI object, Mshta and file extension in base64 format and then calls Decode function to base64 decode them.
Gets the active document name and separates the name from extension
Creates a copy of the active document in HTML format using ActiveDocument.SaveAs with wDFormatHTML as parameter. Saving document as HTML will store all the images within this document in FILENAME_files directory.

Figure 6: SaveAs HTML
Calls show function to makes document protected. By making document protected it makes sure users can not make any changes to the document.

Figure 7: Protect the document
Gets the image file that has an embedded zlib object. (image003.png)
Converts the image in PNG format into BMP format by calling WIA_ConvertImage. Since the BMP file format is uncompressed graphics file format, converting a PNG file format into BMP file format automatically decompresses the malicious zlib object embedded from PNG to BMP. This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images. The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.

Figure 8: Embedded objects within png and bmp file

Figure 9: Embedded hta file within bmp
Gets a WMI object to call Mshta to execute the bmp file. The BMP file after decompression contains a HTA file which executes Java Script to drop a payload.
Deletes all the images in the directory and then removes the directory generated by the SaveAs function.
BMP file analysis (image003.zip)
The macro added the extension zip to the BMP file during the image conversion process to pretend it’s a zip file. This BMP file has an embedded HTA file. This HTA contains a JavaScript that creates “AppStore.exe” in the “C:\Users\Public\Libraries\AppStore.exe” directory to be continue in article...
blog.malwarebytes.com
In simple words they were able to code a image as a Trojan.
North Koreans have been working on cyber offensive expensively with special IT labs to make viruses tactics and strategies..
We can set up our own Unit 8200 (Israeli) kind of program with our on cyber personal Shaheer Amir Rafay Baloch are ideal to lead the defensive side with Green Havildar to lead offensive side..
We can get N.Korean "help" with this.. along with Chinese and Russians help regarding offensive while Turkey USA and UK can help us in terms of defensive capability..
All it needs is a will and a bit of funding..
 Threat Intelligence Team
11 hours ago
This blog was authored by Hossein Jazi
Lazarus APT is one of the most sophisticated North Korean Threat Actors that has been active since at least 2009. This actor is known to target the U.S., South Korea, Japan and several other countries. In one of their most recent campaigns Lazarus used a complex targeted phishing attack against security researchers.
Lazarus is known to employ new techniques and custom toolsets in its operations to increase the effectiveness of its attacks. On April 13, we identified a document used by this actor to target South Korea. In this campaign, Lazarus resorted to an interesting technique of BMP files embedded with malicious HTA objects to drop its Loader.
Process Graph
This attack likely started by distributing phishing emails that were weaponized with a malicious document. The following figure shows the overall process of this attack. In the next sections, we provide the detailed analysis of this process.


Figure 1: Process graph
Document Analysis
Opening the document shows a blue theme in Korean that asks the user to enable the macro to view the document.


Figure 2: Blue theme
Upon enabling the macro, a message box will pop up and after clicking the final lure will be loaded.


Figure 3: Lure form
The document name is in Korean “참가신청서양식.doc” and it is a participation application form for a fair in one of the South Korean cities. The document creation time is 31 March 2021 which indicates that the attack happened around the same time.
The document has been weaponized with a macro that is executed upon opening.


Figure 4: Macro
The macro starts by calling MsgBoxOKCancel function. This function pops up a message box to the user with a message claiming to be an older version of Microsoft Office. After showing the message box, it performs the following steps:


Figure 5: Document_Open
Defines the required variables such as WMI object, Mshta and file extension in base64 format and then calls Decode function to base64 decode them.
Gets the active document name and separates the name from extension
Creates a copy of the active document in HTML format using ActiveDocument.SaveAs with wDFormatHTML as parameter. Saving document as HTML will store all the images within this document in FILENAME_files directory.

Figure 6: SaveAs HTML
Calls show function to makes document protected. By making document protected it makes sure users can not make any changes to the document.

Figure 7: Protect the document
Gets the image file that has an embedded zlib object. (image003.png)
Converts the image in PNG format into BMP format by calling WIA_ConvertImage. Since the BMP file format is uncompressed graphics file format, converting a PNG file format into BMP file format automatically decompresses the malicious zlib object embedded from PNG to BMP. This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images. The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.

Figure 8: Embedded objects within png and bmp file

Figure 9: Embedded hta file within bmp
Gets a WMI object to call Mshta to execute the bmp file. The BMP file after decompression contains a HTA file which executes Java Script to drop a payload.
Deletes all the images in the directory and then removes the directory generated by the SaveAs function.
BMP file analysis (image003.zip)
The macro added the extension zip to the BMP file during the image conversion process to pretend it’s a zip file. This BMP file has an embedded HTA file. This HTA contains a JavaScript that creates “AppStore.exe” in the “C:\Users\Public\Libraries\AppStore.exe” directory to be continue in article...
Lazarus APT conceals malicious code within BMP image to drop its RAT
This blog was authored by Hossein Jazi Lazarus APT is one of the most sophisticated North Korean Threat Actors.
blog.malwarebytes.com
In simple words they were able to code a image as a Trojan.
North Koreans have been working on cyber offensive expensively with special IT labs to make viruses tactics and strategies..
We can set up our own Unit 8200 (Israeli) kind of program with our on cyber personal Shaheer Amir Rafay Baloch are ideal to lead the defensive side with Green Havildar to lead offensive side..
We can get N.Korean "help" with this.. along with Chinese and Russians help regarding offensive while Turkey USA and UK can help us in terms of defensive capability..
All it needs is a will and a bit of funding..
