{"id":5731,"date":"2021-04-22T07:09:17","date_gmt":"2021-04-22T07:09:17","guid":{"rendered":"https:\/\/cybersecuritynews.com\/?p=5731"},"modified":"2021-04-22T07:09:22","modified_gmt":"2021-04-22T07:09:22","slug":"malware-within-bmp-image","status":"publish","type":"post","link":"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/","title":{"rendered":"Beware of a New Malware Campaign that Hides Malicious code within BMP Image"},"content":{"rendered":"\n<p>Lazarus APT is one of the most sophisticated North Korean Threat Actors that has been active since at least 2009.<\/p>\n\n\n\n<p>This actor is known to target the U.S., South Korea, Japan, and several other countries. In one of their most recent campaigns, Lazarus used a complex targeted phishing attack against security researchers.<\/p>\n\n\n\n<p>Experts from Malwarebytes have revealed a spear-phishing attack carried out by a North Korea-linked Lazarus APT group that obfuscated a malicious code within a bitmap (.BMP) image file.<\/p>\n\n\n\n<p>Lazarus is known to employ new techniques and custom toolsets in its operations to increase the effectiveness of its attacks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>The Process of the Attack<\/strong><\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2021\/04\/process.jpg\" alt=\"\" width=\"866\" height=\"168\"\/><figcaption><em>Process Graph<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p>This attack possibly started by distributing phishing emails that were weaponized with a malicious document. Opening the document shows a blue theme in Korean that asks the user to enable the macro to view the document.<\/p>\n\n\n\n<p>Upon enabling the macro, a message box will pop up and after clicking the final lure will be loaded.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote td_quote_box td_box_center is-layout-flow wp-block-quote-is-layout-flow\"><p>\u201cThe document name is in Korean \u201c\ucc38\uac00\uc2e0\uccad\uc11c\uc591\uc2dd.doc\u201d and it is a participation application form for a fair in one of the South Korean cities. The document creation time is 31 March 2021 which indicates that the attack happened around the same time\u201d, according to the analysis published by <a href=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2021\/04\/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\/\" target=\"_blank\" rel=\"noreferrer noopener\">MalwareBytes<\/a>.<\/p><\/blockquote>\n\n\n\n<p>The document has been weaponized with a macro that is executed upon opening. The macro starts by calling the MsgBoxOKCancel function. This function pops up a message box to the user with a message claiming to be an older version of Microsoft Office.<\/p>\n\n\n\n<p>In the background, the macro calls an executable HTA file compressed as a zlib file that is included within an overall PNG image file. The macro also converts the image in PNG format into BMP format by invoking the WIA_ConvertImage function.<\/p>\n\n\n\n<p>Experts pointed out that converting a PNG file format into a BMP file format automatically decompresses the malicious zlib object embedded from PNG to BMP since the BMP file format is the uncompressed graphics file format.<\/p>\n\n\n\n<p>Using this trick, attackers can avoid the detection of embedded objects within images.<\/p>\n\n\n\n<p>The executable HTA file drops a loader for a Remote Access Trojan (RAT), which is stored as \u201cAppStore.exe\u201d on the target machine. The RAT connects the command-and-control (C2) server to receive commands and drop shellcode.<\/p>\n\n\n\n<p>Researchers found many similarities between this campaign and past Lazarus operations, for instance, the second stage payload has used the similar custom encryption algorithm that has been used by BISTROMATH RAT associated with Lazarus.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Final Word<\/strong><\/h4>\n\n\n\n<p>Experts say that the actor has used an intelligent method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format.<\/p>\n\n\n\n<p>The second stage payload can receive and execute commands\/shellcode as well as perform exfiltration and communications to a command and control server.<\/p>\n\n\n\n<p><strong>Also Read<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/cybersecuritynews.com\/dridex-network-attack-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener\">Dridex Network Attack Campaign Delivered by Cutwail Botnet and Poisonous PowerShell Scripts<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/cybersecuritynews.com\/hackers-steal-outlook-passwords\/\" target=\"_blank\" rel=\"noreferrer noopener\">Hackers Steal Outlook Passwords Via Overlay Screens on Legitimate Sites<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lazarus APT is one of the most sophisticated North Korean Threat Actors that has been active since at least 2009. This actor is known to target the U.S., South Korea, Japan, and several other countries. In one of their most recent campaigns, Lazarus used a complex targeted phishing attack against security researchers. Experts from Malwarebytes [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":5733,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/1.bp.blogspot.com\/-mWAQXfzib84\/YIEelzvGWLI\/AAAAAAAAMo8\/csPnbEnkKmQBvM8zQHqoJHwXo5iwRfM1wCLcBGAsYHQ\/s16000\/Malware%2Bwithin%2BBMP%2BImage1.png","fifu_image_alt":"Beware of a New Malware Campaign that Hides Malicious code within BMP Image","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[33,48],"tags":[475,268],"class_list":{"0":"post-5731","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-malware","8":"category-threats","9":"tag-bmp-image","10":"tag-malware-attack"},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.7.1 (Yoast SEO v25.7) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>New Malware Campaign that Hides Malicious code within BMP Image<\/title>\n<meta name=\"description\" content=\"A spear-phishing attack carried out by a North Korea-linked APT group that obfuscated a malicious code within a bitmap (.BMP) image file.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Beware of a New Malware Campaign that Hides Malicious code within BMP Image\" \/>\n<meta property=\"og:description\" content=\"A spear-phishing attack carried out by a North Korea-linked APT group that obfuscated a malicious code within a bitmap (.BMP) image file.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/\" \/>\n<meta property=\"og:site_name\" content=\"Cyber Security News\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Hackingtutorialsandnews\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/guruba008\" \/>\n<meta property=\"article:published_time\" content=\"2021-04-22T07:09:17+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-04-22T07:09:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-mWAQXfzib84\/YIEelzvGWLI\/AAAAAAAAMo8\/csPnbEnkKmQBvM8zQHqoJHwXo5iwRfM1wCLcBGAsYHQ\/s16000\/Malware%2Bwithin%2BBMP%2BImage1.png\" \/>\n<meta name=\"author\" content=\"Guru Baran\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/1.bp.blogspot.com\/-mWAQXfzib84\/YIEelzvGWLI\/AAAAAAAAMo8\/csPnbEnkKmQBvM8zQHqoJHwXo5iwRfM1wCLcBGAsYHQ\/s16000\/Malware%2Bwithin%2BBMP%2BImage1.png\" \/>\n<meta name=\"twitter:creator\" content=\"@guruba008\" \/>\n<meta name=\"twitter:site\" content=\"@The_Cyber_News\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Guru Baran\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"New Malware Campaign that Hides Malicious code within BMP Image","description":"A spear-phishing attack carried out by a North Korea-linked APT group that obfuscated a malicious code within a bitmap (.BMP) image file.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/","og_locale":"en_US","og_type":"article","og_title":"Beware of a New Malware Campaign that Hides Malicious code within BMP Image","og_description":"A spear-phishing attack carried out by a North Korea-linked APT group that obfuscated a malicious code within a bitmap (.BMP) image file.","og_url":"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/","og_site_name":"Cyber Security News","article_publisher":"https:\/\/www.facebook.com\/Hackingtutorialsandnews","article_author":"https:\/\/www.facebook.com\/guruba008","article_published_time":"2021-04-22T07:09:17+00:00","article_modified_time":"2021-04-22T07:09:22+00:00","og_image":[{"url":"https:\/\/1.bp.blogspot.com\/-mWAQXfzib84\/YIEelzvGWLI\/AAAAAAAAMo8\/csPnbEnkKmQBvM8zQHqoJHwXo5iwRfM1wCLcBGAsYHQ\/s16000\/Malware%2Bwithin%2BBMP%2BImage1.png","type":"","width":"","height":""}],"author":"Guru Baran","twitter_card":"summary_large_image","twitter_image":"https:\/\/1.bp.blogspot.com\/-mWAQXfzib84\/YIEelzvGWLI\/AAAAAAAAMo8\/csPnbEnkKmQBvM8zQHqoJHwXo5iwRfM1wCLcBGAsYHQ\/s16000\/Malware%2Bwithin%2BBMP%2BImage1.png","twitter_creator":"@guruba008","twitter_site":"@The_Cyber_News","twitter_misc":{"Written by":"Guru Baran","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"NewsArticle","@id":"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/#article","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/"},"author":{"name":"Guru Baran","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/f7f138f8fd41a61bb60151da47730026"},"headline":"Beware of a New Malware Campaign that Hides Malicious code within BMP Image","datePublished":"2021-04-22T07:09:17+00:00","dateModified":"2021-04-22T07:09:22+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/"},"wordCount":522,"commentCount":0,"publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"image":{"@id":"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/#primaryimage"},"thumbnailUrl":"https:\/\/i2.wp.com\/1.bp.blogspot.com\/-mWAQXfzib84\/YIEelzvGWLI\/AAAAAAAAMo8\/csPnbEnkKmQBvM8zQHqoJHwXo5iwRfM1wCLcBGAsYHQ\/s16000\/Malware%2Bwithin%2BBMP%2BImage1.png?w=728&resize=728,380&ssl=1","keywords":["BMP image","malware attack"],"articleSection":["Malware","Threats"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/#respond"]}],"copyrightYear":"2021","copyrightHolder":{"@id":"https:\/\/cybersecuritynews.com\/#organization"}},{"@type":"WebPage","@id":"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/","url":"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/","name":"New Malware Campaign that Hides Malicious code within BMP Image","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/#primaryimage"},"image":{"@id":"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/#primaryimage"},"thumbnailUrl":"https:\/\/i2.wp.com\/1.bp.blogspot.com\/-mWAQXfzib84\/YIEelzvGWLI\/AAAAAAAAMo8\/csPnbEnkKmQBvM8zQHqoJHwXo5iwRfM1wCLcBGAsYHQ\/s16000\/Malware%2Bwithin%2BBMP%2BImage1.png?w=728&resize=728,380&ssl=1","datePublished":"2021-04-22T07:09:17+00:00","dateModified":"2021-04-22T07:09:22+00:00","description":"A spear-phishing attack carried out by a North Korea-linked APT group that obfuscated a malicious code within a bitmap (.BMP) image file.","breadcrumb":{"@id":"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/#primaryimage","url":"https:\/\/i2.wp.com\/1.bp.blogspot.com\/-mWAQXfzib84\/YIEelzvGWLI\/AAAAAAAAMo8\/csPnbEnkKmQBvM8zQHqoJHwXo5iwRfM1wCLcBGAsYHQ\/s16000\/Malware%2Bwithin%2BBMP%2BImage1.png?w=728&resize=728,380&ssl=1","contentUrl":"https:\/\/i2.wp.com\/1.bp.blogspot.com\/-mWAQXfzib84\/YIEelzvGWLI\/AAAAAAAAMo8\/csPnbEnkKmQBvM8zQHqoJHwXo5iwRfM1wCLcBGAsYHQ\/s16000\/Malware%2Bwithin%2BBMP%2BImage1.png?w=728&resize=728,380&ssl=1","width":"728","height":"380","caption":"Beware of a New Malware Campaign that Hides Malicious code within BMP Image"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecuritynews.com\/malware-within-bmp-image\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cybersecuritynews.com\/"},{"@type":"ListItem","position":2,"name":"Beware of a New Malware Campaign that Hides Malicious code within BMP Image"}]},{"@type":"WebSite","@id":"https:\/\/cybersecuritynews.com\/#website","url":"https:\/\/cybersecuritynews.com\/","name":"Cyber Security News","description":"World&#039;s #1 Premier Cybersecurity and Hacking News Portal","publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecuritynews.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cybersecuritynews.com\/#organization","name":"Cyber Security News","url":"https:\/\/cybersecuritynews.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/","url":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","contentUrl":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","width":200,"height":200,"caption":"Cyber Security News"},"image":{"@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Hackingtutorialsandnews","https:\/\/x.com\/The_Cyber_News","https:\/\/www.linkedin.com\/company\/cybersecurity-news\/"]},{"@type":"Person","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/f7f138f8fd41a61bb60151da47730026","name":"Guru Baran","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/72f86da0bb72b6886d25f0ef0c881daba3a98356bc44f916f8d3a62c9e856579?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/72f86da0bb72b6886d25f0ef0c881daba3a98356bc44f916f8d3a62c9e856579?s=96&d=mm&r=g","caption":"Guru Baran"},"description":"Gurubaran is the Co-Founder and Editor-in-Chief of CyberSecurityNews.com, specializing in vulnerability analysis, malware research, ransomware, and computer forensics.","sameAs":["https:\/\/cybersecuritynews.com","https:\/\/www.facebook.com\/guruba008","https:\/\/www.linkedin.com\/in\/gurubaran-cyberwrites\/","https:\/\/x.com\/guruba008"],"url":"https:\/\/cybersecuritynews.com\/author\/guru\/"}]}},"jetpack_featured_media_url":"https:\/\/i2.wp.com\/1.bp.blogspot.com\/-mWAQXfzib84\/YIEelzvGWLI\/AAAAAAAAMo8\/csPnbEnkKmQBvM8zQHqoJHwXo5iwRfM1wCLcBGAsYHQ\/s16000\/Malware%2Bwithin%2BBMP%2BImage1.png?w=728&resize=728,380&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/5731","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/comments?post=5731"}],"version-history":[{"count":1,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/5731\/revisions"}],"predecessor-version":[{"id":5732,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/5731\/revisions\/5732"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media\/5733"}],"wp:attachment":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media?parent=5731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/categories?post=5731"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/tags?post=5731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}