Lazarus APT uses an embedded image to conceal a RAT payload
What Is It?
A malware infection chain is the sequence of events which must occur for a malware payload to be successfully executed on an endpoint.
From an attacker’s point of view, the object is to evade all detection mechanisms attempting to stop an endpoint becoming compromised and infected. From the defender’s perspective, while it is advantageous to be able to detect each step of an infection chain, as long as the infection chain can be disrupted at any point before the execution of the malicious payload on the endpoint, then the threat is mitigated.
A great deal of effort continues to be expended in moving beyond legacy, signature-based detection tools on endpoints and improving detection efficacy. As such, attackers often direct the bulk of their time and energy to evolving techniques to evade endpoint detection. However, sometimes attackers neglect to consider the entire infection chain in their zeal to utilize innovative evasion techniques on the endpoint.
However, the initial component of the infection chain is a Microsoft Word document containing a malicious macro. This technique is decidedly lacking in innovation and is one which likely has a relatively high probability of detection. (Though at the time of writing, VirusTotal detection for this sample was only 29/60.) This technique also relies on successfully socially engineering the recipient to allow macros to execute, assuming it is not detected before reaching the user’s inbox. The document purports to be an application form for participation in a fair in a South Korean city, and the filename translates to “Application form.doc”.
While utilizing a clever technique to evade detection of the malicious payload on the endpoint, the basic approach of a malicious Word document attached to a phishing email creates a high probability the effort in developing this new technique will be rendered moot by detection higher up in the infection chain.
How Does It Propagate?
The malware does not contain the necessary code to self-propagate. The initial infection vector is a Microsoft Word document containing a malicious macro.
When/How Did BluVector Detect It?
Two samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. The first of these is the malicious Microsoft Word document at the beginning of the infection chain. This sample would have been detected 84 months, or a full 7 years, prior to its release as part of this campaign. The second sample is the malicious executable, which although it is decrypted and extracted on the endpoint, could potentially be seen if it was copied over the network, possibly by a simple backup. This sample would have been detected 52 months prior to its release, giving an average detection across both files of 68 months.