Lazarus hacking group now hides payloads in BMP image files
The Lazarus group has tweaked its loader obfuscation techniques by abusing image files in a recent phishing campaign. Lazarus is a state-sponsored advanced persistent threat (APT) group from North Korea.
Known as one of the most prolific and sophisticated APTs out there, Lazarus has been in operation for over a decade and is considered responsible for worldwide attacks including the WannaCry ransomware outbreak, bank thefts, and assaults against cryptocurrency exchanges.
South Korean organizations are consistent targets for Lazarus, although the APT has also been traced back to cyberattacks in the US and, more recently, South Africa. In a campaign documented by Malwarebytes on April 13, a phishing document attributed to Lazarus revealed the use of an interesting technique designed to obfuscate payloads in image files. The attack chain begins with a phishing Microsoft Office document (참가신청서양식.doc) and a lure in the Korean language. Intended victims are asked to enable macros in order to view the file's content, which, in turn, triggers a malicious payload.