Lazarus APT uses an embedded image to conceal a RAT payload

What Is It?

A malware infection chain is the sequence of events which must occur for a malware payload to be successfully executed on an endpoint.

From an attacker’s point of view, the object is to evade all detection mechanisms attempting to stop an endpoint becoming compromised and infected. From the defender’s perspective, while it is advantageous to be able to detect each step of an infection chain, as long as the infection chain can be disrupted at any point before the execution of the malicious payload on the endpoint, then the threat is mitigated.

A great deal of effort continues to be expended in moving beyond legacy, signature-based detection tools on endpoints and improving detection efficacy. As such, attackers often direct the bulk of their time and energy to evolving techniques to evade endpoint detection. However, sometimes attackers neglect to consider the entire infection chain in their zeal to utilize innovative evasion techniques on the endpoint.

One such example was recently described by researchers from MalwareBytes targeting users in South Korea. They have attributed the campaign to the North Korean Lazarus APT group (Articles: link, link, link, link, link, link.). The infection chain utilizes a multi-step process to extract, decrypt and execute a malicious payload from a Microsoft Word document. It includes a novel technique using a JavaScript in a HTA file, embedded in a BMP image, that itself is stored in a PNG image file, to drop the malicious payload. The intention of course being to evade detection on the endpoint.

However, the initial component of the infection chain is a Microsoft Word document containing a malicious macro. This technique is decidedly lacking in innovation and is one which likely has a relatively high probability of detection. (Though at the time of writing, VirusTotal detection for this sample was only 29/60.) This technique also relies on successfully socially engineering the recipient to allow macros to execute, assuming it is not detected before reaching the user’s inbox. The document purports to be an application form for participation in a fair in a South Korean city, and the filename translates to “Application form.doc”.

If the user permits the macro to execute, it saves the Word document out in HTML format, which also saves all the document’s images out as files. It then reads in one of the PNG image files and uses a built-in function to convert it to a BMP image file. The attacker does this because PNG image files are compressed and BMP files are not, and the PNG file contains a compressed HTA fie that is decompressed when the file is saved as a BMP. It is a clever technique to bypass detection of embedded objects on the endpoint. The HTA file is executed, which results in the JavaScript it contains running to create and execute the malicious RAT (Remote Access Trojan) executable.

While utilizing a clever technique to evade detection of the malicious payload on the endpoint, the basic approach of a malicious Word document attached to a phishing email creates a high probability the effort in developing this new technique will be rendered moot by detection higher up in the infection chain.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The initial infection vector is a Microsoft Word document containing a malicious macro.

When/How Did BluVector Detect It?

Two samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. The first of these is the malicious Microsoft Word document at the beginning of the infection chain. This sample would have been detected 84 months, or a full 7 years, prior to its release as part of this campaign. The second sample is the malicious executable, which although it is decrypted and extracted on the endpoint, could potentially be seen if it was copied over the network, possibly by a simple backup. This sample would have been detected 52 months prior to its release, giving an average detection across both files of 68 months.

All Threat Reports