Lazarus Group Now Hiding Malware Payloads in BMP Images

You are currently viewing Lazarus Group Now Hiding Malware Payloads in BMP Images

Notorious hacking gang Lazarus Group has taken up a novel attack vector by hiding Malware payloads within BMP images, which are further embedded in Microsoft Office documents. Lazarus Group operates primarily from North Korea, and as such, the campaign has been using South Korea as its primary target. The group often will test the success of various campaigns against their neighbor before expanding globally. Known as one of the most prolific and sophisticated APTs out there, Lazarus Group has been in operation for over a decade. It is considered responsible for worldwide attacks, including the WannaCry ransomware outbreak, bank thefts, and assaults against cryptocurrency exchanges.

The campaign has been studied closely by researchers at Malwarebytes.

The malware attack begins with a spear-phishing attack aimed toward South Korean executives and government officials. The phishing email contains a Microsoft Office document (참가신청서양식.doc) and a lure in the Korean language. Potential victims are asked to ‘Enable Macros’ to view the content. This is a common technique in Office document-based attacks; agreeing to enable macros will trigger the next stage of the attack.

The macro brings up a pop-up message which claims to be an old version of Office but instead calls an executable HTA file compressed as a zlib file within an overall PNG image file. 

During decompression, the PNG is converted to BMP. Once triggered, the HTA will deploy the malware – a Remote Access Trojan (RAT), stored as “AppStore.exe” on the target machine.

“This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images,” the researchers say. “The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.”

The Malware can link up to a command-and-control (C2) server, receive commands, and drop shellcode. Communication between the malware and C2 is base64 encoded and encrypted using a custom encryption algorithm that has previously been linked to Lazarus Group’s Bistromath RAT.

The campaign comes following a warning from Google’s Threat Analysis Group (TAG), which stated that Lazarus Group targeted cybersecurity researchers across social media. The attack was initially noticed in January and reported on by SaferNet. While always a consistent threat, it would seem that Lazarus Group are ramping up attacks globally this year.

Lazarus Group Malware Attack Campaign Analysis


The analysis behind this attack campaign has been carried out by researchers at Malwarebytes.

This attack started by distributing phishing emails that were weaponized with a malicious document. The following figure shows the overall process of this attack.


Opening the document shows a blue theme in Korean that asks the user to enable the macro to view the document.

Lazarus Group

Upon enabling the macro, a message box will pop up and after clicking the final lure will be loaded.

The document name is in Korean “참가신청서양식.doc” and it is a participation application form for a fair in one of the South Korean cities. The document creation time is 31 March 2021 which indicates that the malware attack happened around the same time.

The document has been weaponized with a macro that is executed upon opening.

The macro starts by calling MsgBoxOKCancel function. This function pops up a message box to the user with a message claiming to be an older version of Microsoft Office. After showing the message box, it performs the following steps:

  • Defines the required variables such as WMI object, Mshta and file extension in base64 format and then calls Decode function to base64 decode them.
  • Gets the active document name and separates the name from extension
  • Creates a copy of the active document in HTML format using ActiveDocument.SaveAs with wDFormatHTML as parameter. Saving document as HTML will store all the images within this document in FILENAME_files directory.
  • Calls show function to makes document protected. By making document protected it makes sure users can not make any changes to the document.
  • Gets the image file that has an embedded zlib object. (image003.png)
  • Converts the image in PNG format into BMP format by calling WIA_ConvertImage. Since the BMP file format is uncompressed graphics file format, converting a PNG file format into BMP file format automatically decompresses the malicious zlib object embedded from PNG to BMP. This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images. The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.
  • Gets a WMI object to call Mshta to execute the bmp file. The BMP file after decompression contains a HTA file which executes Java Script to drop a payload.
  • Deletes all the images in the directory and then removes the directory generated by the SaveAs function.

AppStore.exe loads a base64 encrypted payload that has been added to the end of itself. Before the payload there is a string which is the decryption key (by7mJSoKVDaWg*Ub).

To decrypt the second stage payload, at first it writes itself into a buffer created by VirtualAlloc and then looks for the encrypted payload and copies it into another buffer.

In the next step, it has implemented its own base64 decoder to decode the allocated buffer and write it into another buffer using memset and memmove. At the end, this encoded payload gets decrypted via XOR using hardcoded decryption key to generate the second stage payload.

After the decryption process has finished, it jumps to the start address of the second payload to execute it.

Lazarus group has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format. The dropped payload was a malware loader that decoded and decrypted the second stage payload into memory. The second stage malware payload has the capability to receive and execute commands/shellcode as well as perform exfiltration and communications to a command and control server.


SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply