You can now find Cyber Kendra on Google News | Telegram

Lazarus group uses BMP images to hide malware

Criminals distribute a fake document in Korean disguised as an application form for a fair in a South Korean city.

Security researchers at Malwarebytes have reported a North Korean hacker malware campaign in which criminals target users in South Korea with targeted phishing attacks. The malicious code resides inside bitmap (.BMP) image files and allows attackers to download a remote access Trojan to the victim's computer that can steal confidential information.

Experts associate the attacks with the cybercriminal group Lazarus Group, based on similarities with previous operations. The phishing campaign began on April 13 this year by sending out emails containing a malicious document.

“The attackers used a clever method to bypass security mechanisms. The hackers embedded a malicious zlib-compressed HTA file into a PNG image, which was then converted to BMP format, ”the experts explained.

The fake document, written in Korean, is an application form for a fair in a South Korean city and prompts users to enable macros the first time they open it. After running the macros, the executable file AppStore.exe is loaded onto the victim's system. The payload then proceeds to retrieve the encrypted malware, which is decoded and decrypted at runtime and communicates with the remote C&C server for additional commands and data transfers.

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.