Jump to content
Sign in to follow this  

Lazarus group uses BMP images to hide malware

Recommended Posts

Criminals distribute a fake document in Korean disguised as an application form for a fair in a South Korean city.


Security researchers at Malwarebytes have reported a malicious campaign by North Korean hackers, in which criminals conduct targeted phishing attacks on users in South Korea. The malicious code resides inside bitmap (.BMP) image files and allows attackers to download a remote access Trojan to the victim's computer that can steal confidential information.

Experts associate the attacks with the cybercriminal group Lazarus Group, based on similarities with previous operations. The phishing campaign began on April 13 this year by sending out emails containing a malicious document.

“The attackers used a clever method to bypass security mechanisms. The hackers embedded a malicious zlib-compressed HTA file into a PNG image, which was then converted to BMP format, ”the experts explained.

The fake document, written in Korean, is an application form for a fair in a South Korean city and prompts users to enable macros the first time they open it. After the macros are run, the executable file AppStore.exe is loaded onto the victim's system. The payload then proceeds to retrieve the encrypted malware, which is decoded and decrypted at runtime and communicates with the remote C&C server for additional commands and data transfers.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Create New...