According to researchers at Malwarebytes, the APT group conceal its malicious code in a bitmap (.BMP) image file which it then uses to drop a remote access trojan (RAT) capable of stealing personal data and other sensitive information.
Lazarus Group is perhaps the most sophisticated and notorious of the North Korean Threat Actors and has been active since 2009; known to majorly target South Korea, but also includes several other countries.
How the APT hackers conceals malicious code within BMP image to spread its RAT?
The attack scenario follows distributing of phishing emails weaponized with a malicious document, which document shows a blue theme in Korean requesting that the user should enable the macro to view the document.
Once the macro is enabled, a message will pop up and on clicking the message the final lure will be loaded onto the system, as the document is weaponized with a macro that is executed upon opening. It starts by calling MsgBoxOKCancel function, which function pops up a message box to the user with a message that claims to be an older version of Microsoft Office.
Then after execution, it converts the image in PNG format into BMP format by calling WIA_ConvertImage. And since the BMP file format is an uncompressed graphics file format, converting PNG file format into BMP file format will automatically decompress the malicious zlib object embedded from PNG to BMP.
This clever method used by the threat actor enables them to bypass security mechanisms which can detect embedded objects within images and because the document having the zlib malicious object is compressed it can't be detected by any static detection system.