Lazarus Group Uses New Technique to Avoid Detection

malicious-bmp-phishing-fileNorth Korea’s Lazarus group is using an interesting method to evade security measures, according to researchers at Malwarebytes. The threat actor is sending phishing emails with malicious macros which, when run, will execute an image file with embedded JavaScript code that will install malware. Once the malware is installed, it can execute commands or exfiltrate data.

The phishing document itself is tailored for Korean-speaking targets, and asks the user to enable macros in order to view its contents.

“The document name is in Korean “참가신청서양식.doc” and it is a participation application form for a fair in one of the South Korean cities,” the researchers write. “The document creation time is 31 March 2021 which indicates that the attack happened around the same time. The document has been weaponized with a macro that is executed upon opening.”

The most notable part of this campaign is the attackers’ use of a BMP (bitmap) image file to hide the malicious code. This allows the code to avoid detection even by security mechanisms that are designed to look for malicious code in images.

“Since the BMP file format is uncompressed graphics file format, converting a PNG file format into BMP file format automatically decompresses the malicious zlib object embedded from PNG to BMP,” the researchers explain. “This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images. The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.”

Attackers will always find new ways to bypass technical defenses. New-school security awareness training can help your employees avoid falling for phishing attacks by teaching them how to recognize social engineering tactics.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews