• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 

Europol dismantles €460M crypto scam targeting 5,000 victims worldwide

 | 

CISA and U.S. Agencies warn of ongoing Iranian cyber threats to critical infrastructure

 | 

U.S. CISA adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog

 | 

Canada bans Hikvision over national security concerns

 | 

Denmark moves to protect personal identity from deepfakes with new copyright law

 | 

Ahold Delhaize data breach affected over 2.2 Million individuals

 | 

Facebook wants access to your camera roll for AI photo edits

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 51

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Hacking
  • Malware
  • North Korea-linked Lazarus APT hides malicious code within BMP image to avoid detection

North Korea-linked Lazarus APT hides malicious code within BMP image to avoid detection

Pierluigi Paganini April 20, 2021

North Korea-linked Lazarus APT group is abusing bitmap (.BMP) image files in a recent spear-phishing campaign targeting entities in South Korea. 

Experts from Malwarebytes have uncovered a spear-phishing attack conducted by a North Korea-linked Lazarus APT group that obfuscated a malicious code within a bitmap (.BMP) image file.

The malicious code within the bitmap image file was used by threat actors to drop a remote access trojan (RAT) on the victims’ systems that allow them to steal sensitive information.

The activity of the Lazarus APT group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

According to a report published by Kaspersky Lab in January 2020, in the two years the North Korea-linked APT group has continued to target cryptocurrency exchanges evolving its TTPs.

In December 2020, the North Korea-linked Lazarus APT group has launched cyberattacks against at least two organizations involved in COVID-19 research.

The attack chain related to the spear-phishing campaign documented by MalwareBytes begins using a weaponized Microsoft Office document in the Korean language. The email attempts to trick victims into enabling the macros in order to view the content, but once enabled the macros in order a malicious code is executed. 

“Upon enabling the macro, a message box will pop up and after clicking the final lure will be loaded.” reads the analysis published by MalwareBytes. “The document name is in Korean “참가신청서양식.doc” and it is a participation application form for a fair in one of the South Korean cities. The document creation time is 31 March 2021 which indicates that the attack happened around the same time. The document has been weaponized with a macro that is executed upon opening.”

Lazarus APT phishing

The macro first calls MsgBoxOKCancel function that pops up a message box to the user with a message claiming to be an older version of Microsoft Office.

In the background, the macro calls an executable HTA file compressed as a zlib file that is included within an overall PNG image file. 

The macro also converts the image in PNG format into BMP format by invoking the WIA_ConvertImage function. Experts pointed out that converting a PNG file format into BMP file format automatically decompresses the malicious zlib object embedded from PNG to BMP because the BMP file format is uncompressed graphics file format.

Using this trick, attackers can avoid the detection of embedded objects within images.

“The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.” states the analysis.

The HTA drops a loader for a Remote Access Trojan (RAT), which is stored as “AppStore.exe” on the target machine.  

The RAT connects the command-and-control (C2) server to receive commands and drop shellcode.

Experts found many similarities between this campaign and past Lazarus operations, for example the second stage payload has used the similar custom encryption algorithm that has been used by BISTROMATH RAT associated to Lazarus.

“The actor has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format.” concludes the report. “The dropped payload was a loader that decoded and decrypted the second stage payload into memory. The second stage payload has the capability to receive and execute commands/shellcode as well as perform exfiltration and communications to a command and control server.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus APT)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

APT Hacking hacking news information security news IT Information Security malware North Korea Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 04, 2025
A flaw in Catwatchful spyware exposed logins of +62,000 users
Read more
Pierluigi Paganini July 03, 2025
China-linked group Houken hit French organizations using zero-days
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    A flaw in Catwatchful spyware exposed logins of +62,000 users

    Malware / July 04, 2025

    China-linked group Houken hit French organizations using zero-days

    APT / July 03, 2025

    Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

    Data Breach / July 03, 2025

    Europol shuts down Archetyp Market, longest-running dark web drug marketplace

    Cyber Crime / July 03, 2025

    Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

    Uncategorized / July 03, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT