Lazarus APT Hackers inject RAT malware

Lazarus APT 1024x741

A new clever tactic for tricking security mechanisms with the idea of deploying RAT malware on targeted devices has been revealed by security researchers recently.

The criminal actor behind this method of attack is a North Korean hacking group known as Lazarus Group and the target is South Korea.

The actor has used an ingenious method of embedding his malicious HTA file into a compressed zlib file that pretends to be a PNG file. After decompression, the camouflaged PNG converts into a bitmap (.BMP) format that deploys a remote access Trojan.

Researchers explain that this is a spear-phishing attack, aimed at stealing confidential data from its targets. As per the reports, the phishing campaign started with the distribution of malicious e-mails that contain a malware-infected document and was first identified by security professionals on 13th of April.

Tactics like the above-described one are typical for the Lazarus Group, which is a leading North Korean threat actor that is actively involved in advanced data-stealing attacks aimed at South Korea, Japan, and the United States. That’s why researchers aren’t surprised by the sophistication of the recent phishing campaign since Lazarus has been known to use modern tactics and custom tools to improve the effectiveness of the attacks in its operations.

The malicious payload delivered through a well-camouflaged .BMP image file acted as a loader that decoded and decrypted a second-stage payload into memory. The role of the second stage payload is to receive and run commands and/or shellcode and exfiltrate data to a remote hacker-controlled command and control server.

According to the details that are available, the cleverly crafted malicious document is written in Korean and has March 31, 2021 as a date of creation. It appears to be an application form for a fair in South Korea and once clicked on, prompts users to enable macros. The moment macros are enabled, the malicious file runs an attack code that drops an executable file named “AppStore.exe” in the compromised system.

In the second stage of the attack, an encrypted payload gets decrypted at run time and establishes communication with a remote hacker-controlled server from where additional commands are received, researchers explain.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment