Lazarus group uses BMP images to hide malware

Criminals distribute a fake document in Korean disguised as an application form for a fair in a South Korean city.


Security researchers at Malwarebytes have reported a North Korean hacker malware campaign in which criminals target users in South Korea with targeted phishing attacks. The malicious code resides inside bitmap (.BMP) image files and allows attackers to download a remote access Trojan to the victim's computer that can steal confidential information.

Experts associate the attacks with the cybercriminal group Lazarus Group, based on similarities with previous operations. The phishing campaign began on April 13 this year by sending out emails containing a malicious document.

“The attackers used a clever method to bypass security mechanisms. The hackers embedded a malicious zlib-compressed HTA file into a PNG image, which was then converted to BMP format, ”the experts explained.

The fake document, written in Korean, is an application form for a fair in a South Korean city and prompts users to enable macros the first time they open it. After running the macros, the executable file AppStore.exe is loaded onto the victim's system. The payload then proceeds to retrieve the encrypted malware, which is decoded and decrypted at runtime and communicates with the remote C&C server for additional commands and data transfers.