Lazarus (Hidden Cobra) Group Employs HTA Embedded BMP Files

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used by the Lazarus (also known as Hidden Cobra, Zinc, Nickel Cobra) Advanced Persistent Threat (APT) Group, operating since 2009. Lazarus is believed to be a North Korean government-backed threat group that has targeted victims worldwide. The majority of the group's targets are aerospace, financial, government, media, logistics, and technology sectors. Lazarus (Hidden Cobra) uses 100+ tools in its attack campaigns, including Bankshot, Dacls, HOPLIGHT, KEYMARBLE, Mimikatz, Proxysvc, RATANKBA, RawDisk, TYPEFRAME, Volgmer, and WannaCry.

Lazarus’ Latest Targeted Phishing Campaign

Lazarus used a complex targeted phishing attack on security researchers in one of their most recent campaigns. To maximize the effectiveness of its attacks, Lazarus is known to employ new strategies and custom toolkits. To drop its Loader in this campaign, Lazarus used an interesting technique of BMP files embedded with malicious HTA artifacts in its latest targeted phishing campaign [1].

In detail, the Lazarus threat actor used a clever technique to evade security controls by embedding its malicious HTA file as a compressed zlib file inside a PNG file, which was then decompressed during runtime by converting itself to the BMP format. A loader was dropped as part of the payload, which decoded and decrypted the second stage payload and stored it in memory. The payload in the second stage will receive and execute commands/shellcode, as well as exfiltrate data and communicate with a command and control server.

Picus Labs has updated the Picus Threat Library with this .doc malware and the malicious .exe file downloaded by this malware.

Picus ID

Threat Name

884096

Malware Downloader used by Lazarus APT Group .DOC File Download Variant-1

340431

340431 Malware used by Lazarus (Hidden Cobra) Group .EXE File Download Variant-6

Other Threats of Lazarus in Picus Threat Library

Picus Threat Library consists of 56 threats of the Lazarus (Hidden Cobra) threat actor, including:

  • ARTFULPIE  Malware Downloader  used by Lazarus Threat Group .EXE File Download
  • Blindingcan Trojan used by Lazarus Threat Group .DLL File Download
  • BUFFETLINE Trojan  used by Lazarus Threat Group .EXE File Download
  • CROWDEDFLOUNDER RAT used by Lazarus Threat Group .DLL File Download
  • Dacls RAT used by Lazarus Threat Group .BIN File Download
  • Dacls RAT used by Lazarus Threat Group .EXE File Download
  • Dacls RAT used by Lazarus Threat Group .SMI File Download
  • Dacls RAT used by Lazarus Threat Group .ZIP File Download
  • Dtrack RAT used by Lazarus Group .EXE File Download
  • Hermes Ransomware used by Lazarus Threat Group .EXE File Download
  • HOPLIGH Trojan used by LazarusThreat Group .EXE File Download
  • HOTCROISSANT Trojan used by Lazarus Threat Group .EXE File Download
  • Keymarble RAT Malware used by Hidden Cobra (Lazarus Group) Threat Group .EXE File Download
  • Lazarus  Threat Group PowerRatankba Attack Scenario
  • Lazarus Group HaoBao Campaign Attack Scenario
  • Lazarus Group's Ghostscript Exploit .DLL File Download
  • Lazarus Group's Ghostscript Exploit .HWP File Download
  • Lazarus Group's Trojan .DLL File Download
  • Lazarus Group's Trojan .EXE File Download
  • Lazarus Group's Trojan .HWP File Download
  • Lazarus Threat Group Attack Scenario
  • Malware Downloader used by Lazarus APT Group .DOC File Download
  • Malware used by Lazarus (Hidden Cobra) Group .EXE File Download
  • Malware used by Lazarus Threat Group .EXE File Download
  • Office Malware used by Hidden Cobra (Lazarus Group) Threat Group .XLS File Download
  • PowerRatankba Trojan Downloader Used by Lazarus Threat Group in FastCash 2.0 Campaign .EXE File Download
  • PowerRatankba Trojan Downloader Used by Lazarus Threat Group in FastCash 2.0 Campaign .PS1 File Download
  • Shellcode Execution used by Lazarus Group
  • SLICKSHOES  banking malware used by Lazarus Threat Group .DLL File Download
  • Trojan used by Lazarus (Hidden Cobra) Group .EXE File Download
  • ValeforBeta Trojan used by Lazarus Threat Group .EXE File Download
  • VHD Ransomware used by Lazarus Threat Group .DLL File Download
  • VHD Ransomware used by Lazarus Threat Group .EXE File Download
  • VSingle Trojan used by Lazarus Threat Group .DLL File Download

 MITRE ATT&CK Techniques used by Lazarus in This Campaign

  • Discovery
    • T1010 - Application Window Discovery
    • T1082 - System Information Discovery
    • T1012 - Query Registry
    • T1497 - Virtualization/Sandbox Evasion
  • Privilege Escalation
    • T1055 - Process Injection
  • Execution
    • T1204 - User Execution
  • Persistence
    • T1137 - Office Application Startup
  • Collection
    • T1114 - Email Collection
  • Command and Control
    • T1043 - Commonly Used Port

References

[1] https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/