A new clever tactic for tricking security mechanisms with the idea of deploying RAT malware on targeted devices has been revealed by security researchers recently.
The criminal actor behind this method of attack is a North Korean hacking group known as Lazarus Group and the target is South Korea.
The actor has used an ingenious method of embedding his malicious HTA file into a compressed zlib file that pretends to be a PNG file. After decompression, the camouflaged PNG converts into a bitmap (.BMP) format that deploys a remote access Trojan.
Researchers explain that this is a spear-phishing attack, aimed at stealing confidential data from its targets. As per the reports, the phishing campaign started with the distribution of malicious e-mails that contain a malware-infected document and was first identified by security professionals on 13th of April.
Tactics like the above-described one are typical for the Lazarus Group, which is a leading North Korean threat actor that is actively involved in advanced data-stealing attacks aimed at South Korea, Japan, and the United States. That’s why researchers aren’t surprised by the sophistication of the recent phishing campaign since Lazarus has been known to use modern tactics and custom tools to improve the effectiveness of the attacks in its operations.
The malicious payload delivered through a well-camouflaged .BMP image file acted as a loader that decoded and decrypted a second-stage payload into memory. The role of the second stage payload is to receive and run commands and/or shellcode and exfiltrate data to a remote hacker-controlled command and control server.
According to the details that are available, the cleverly crafted malicious document is written in Korean and has March 31, 2021 as a date of creation. It appears to be an application form for a fair in South Korea and once clicked on, prompts users to enable macros. The moment macros are enabled, the malicious file runs an attack code that drops an executable file named “AppStore.exe” in the compromised system.
In the second stage of the attack, an encrypted payload gets decrypted at run time and establishes communication with a remote hacker-controlled server from where additional commands are received, researchers explain.