North Korea’s Lazarus group is using an interesting method to evade security measures, according to researchers at Malwarebytes. The threat actor is sending phishing emails with malicious macros which, when run, will execute an image file with embedded JavaScript code that will install malware. Once the malware is installed, it can execute commands or exfiltrate data.
The phishing document itself is tailored for Korean-speaking targets, and asks the user to enable macros in order to view its contents.
“The document name is in Korean “참가신청서양식.doc” and it is a participation application form for a fair in one of the South Korean cities,” the researchers write. “The document creation time is 31 March 2021 which indicates that the attack happened around the same time. The document has been weaponized with a macro that is executed upon opening.”
The most notable part of this campaign is the attackers’ use of a BMP (bitmap) image file to hide the malicious code. This allows the code to avoid detection even by security mechanisms that are designed to look for malicious code in images.
“Since the BMP file format is uncompressed graphics file format, converting a PNG file format into BMP file format automatically decompresses the malicious zlib object embedded from PNG to BMP,” the researchers explain. “This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images. The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.”
Attackers will always find new ways to bypass technical defenses. New-school security awareness training can help your employees avoid falling for phishing attacks by teaching them how to recognize social engineering tactics.
