Lazarus APT is one of the most complex and sophisticated state sponsored threat Actor by North Korea that has been active since 2009. Lazarus APT has targeted the U.S., South Korea, and Japan to name a few, and continues to spread its malice in other countries. Lazarus is known to employ custom toolkits and new techniques to increase its attack’s effectiveness. It has adapted to the changing trends of cybersecurity over time, and now it uses a complex phishing attack to target its victims.
The latest technique uses a BMP file embedded with malicious HTA objects to drop its loader. The malicious HTA file is compressed as a zlib file within a PNG file that decompresses during run time by converting itself to the BMP format. The attack is hypothesized to start as a phishing campaign in which the users are tricked into opening emails with malicious files attached. When the unwitting victims open the emails, the file prompts its viewer to enable macros. It leads to a message box that loads the final phishing lure – a participation form for a local fair in a South Korean city.