Severity

High

Analysis Summary

Lazarus APT is one of the most complex and sophisticated state sponsored threat Actor by North Korea that has been active since 2009. Lazarus APT has targeted the U.S., South Korea, and Japan to name a few, and continues to spread its malice in other countries. Lazarus is known to employ custom toolkits and new techniques to increase its attack’s effectiveness. It has adapted to the changing trends of cybersecurity over time, and now it uses a complex phishing attack to target its victims.
The latest technique uses a BMP file embedded with malicious HTA objects to drop its loader. The malicious HTA file is compressed as a zlib file within a PNG file that decompresses during run time by converting itself to the BMP format. The attack is hypothesized to start as a phishing campaign in which the users are tricked into opening emails with malicious files attached. When the unwitting victims open the emails, the file prompts its viewer to enable macros. It leads to a message box that loads the final phishing lure – a participation form for a local fair in a South Korean city.

Impact

• Information theft and espionage
• Exposure of sensitive data
• Data exfiltration

Indicators of Compromise

Domain Name

jinjinpig[.]co[.]kr

Hostname

mail[.]namusoft[.]kr

MD5

• ed9aa858ba2c4671ca373496a4dd05d4
• 118cfa75e386ed45bec297f8865de671

SHA-256

• f1eed93e555a0a33c7fef74084a6f8d06a92079e9f57114f523353d877226d72
• ed5fbefd61a72ec9f8a5ebd7fa7bcd632ec55f04bdd4a4e24686edccb0268e05

SHA1

• 997885451c6629d5da8fd9bd70f0f9977eb8787a
• 43ef1dd0097da941dbcf64f00a790d6aae3a82f4

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Always be suspicious about emails sent by unknown senders.
• Never click on links/attachments sent by unknown senders.