{
	"id": "f9aeb76f-a862-4446-a4f5-4ff82542f412",
	"created_at": "2026-04-06T00:17:36.555441Z",
	"updated_at": "2026-04-10T03:21:51.28542Z",
	"deleted_at": null,
	"sha1_hash": "d3794eabf0197a7014f021654a1faf75d0080d77",
	"title": "Lazarus APT conceals malicious code within BMP image to drop its RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7007189,
	"plain_text": "Lazarus APT conceals malicious code within BMP image to drop\r\nits RAT\r\nPublished: 2021-04-19 · Archived: 2026-04-05 16:10:10 UTC\r\nThis blog was authored by Hossein Jazi\r\nLazarus APT is one of the most sophisticated North Korean Threat Actors that has been active since at least 2009.\r\nThis actor is known to target the U.S., South Korea, Japan and several other countries. In one of their most recent\r\ncampaigns Lazarus used a complex targeted phishing attack against security researchers.\r\nLazarus is known to employ new techniques and custom toolsets in its operations to increase the effectiveness of\r\nits attacks. On April 13, we identified a document used by this actor to target South Korea. In this campaign,\r\nLazarus resorted to an interesting technique of BMP files embedded with malicious HTA objects to drop its\r\nLoader.\r\nProcess Graph\r\nThis attack likely started by distributing phishing emails that were weaponized with a malicious document. The\r\nfollowing figure shows the overall process of this attack. In the next sections, we provide the detailed analysis of\r\nthis process.\r\nDocument Analysis\r\nOpening the document shows a blue theme in Korean that asks the user to enable the macro to view the document.\r\nArticle continues below this ad.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 1 of 18\n\nUpon enabling the macro, a message box will pop up and after clicking the final lure will be loaded.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 2 of 18\n\nThe document name is in Korean “참가신청서양식.doc” and it is a participation application form for a fair in one\r\nof the South Korean cities. The document creation time is 31 March 2021 which indicates that the attack happened\r\naround the same time.\r\nThe document has been weaponized with a macro that is executed upon opening.\r\nThe macro starts by calling MsgBoxOKCancel function. This function pops up a message box to the user with a\r\nmessage claiming to be an older version of Microsoft Office. After showing the message box, it performs the\r\nfollowing steps:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 3 of 18\n\nDefines the required variables such as WMI object, Mshta and file extension in base64 format and then\r\ncalls Decode function to base64 decode them.\r\nGets the active document name and separates the name from extension\r\nCreates a copy of the active document in HTML format\r\nusing ActiveDocument.SaveAs with wDFormatHTML as parameter. Saving document as HTML will store\r\nall the images within this document in FILENAME_files directory.\r\nCalls show function to makes document protected. By making document protected it makes sure users can\r\nnot make any changes to the document.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 4 of 18\n\nGets the image file that has an embedded zlib object. (image003.png)\r\nConverts the image in PNG format into BMP format by calling WIA_ConvertImage. Since the BMP file\r\nformat is uncompressed graphics file format, converting a PNG file format into BMP file format\r\nautomatically decompresses the malicious zlib object embedded from PNG to BMP. This is a clever\r\nmethod used by the actor to bypass security mechanisms that can detect embedded objects within images.\r\nThe reason is because the document contains a PNG image that has a compressed zlib malicious object and\r\nsince it’s compressed it can not be detected by static detections. Then the threat actor just used a simple\r\nconversion mechanism to decompress the malicious content.\r\nGets a WMI object to call Mshta to execute the bmp file. The BMP file after decompression contains a\r\nHTA file which executes Java Script to drop a payload.\r\nDeletes all the images in the directory and then removes the directory generated by the SaveAs function.\r\nBMP file analysis (image003.zip)\r\nThe macro added the extension zip to the BMP file during the image conversion process to pretend it’s a zip file.\r\nThis BMP file has an embedded HTA file. This HTA contains a JavaScript that creates “AppStore.exe” in the\r\n“C:UsersPublicLibrariesAppStore.exe” directory and then populates its content.\r\nAt the start, it defines an array that contains the list of the functions and parameters required by the\r\nscript: OpenTextFile, CreateTextFile, Close, Write, FromCharCode,\r\n“C:/Users/Public/Libraries/AppStore.exe” and some junk values. When the script wants to perform an action, it\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 5 of 18\n\ncalls a second function with a hex value that is responsible for building an index to retrieve the required value\r\nfrom the first array.\r\nFor example, at the first step it calls the second function with 0x1dd value. This function\r\nsubtracts 0x1dc from 0x1dd to get the index for the first array which would be 1. Then it uses this index to retrieve\r\nthe first element of the first array which would be “C:/Users/Public/Libraries/AppStore.exe”. Following the same\r\nprocess, it calls CreateTextFile to create AppStore.exe and then writes MZ into it. Then it converts the data in\r\ndecimal format to string by calling fromCharCode function and uses the same procedure it writes them into\r\nthe AppStore.exe. At the end it calls Wscript.Run to execute the dropped payload.\r\nPayload analysis (AppStore.exe)\r\nAppStore.exe loads a base64 encrypted payload that has been added to the end of itself. Before the payload there is\r\na string which is the decryption key (by7mJSoKVDaWg*Ub).\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 6 of 18\n\nTo decrypt the second stage payload, at first it writes itself into a buffer created by VirtualAlloc and then looks for\r\nthe encrypted payload and copies it into another buffer.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 7 of 18\n\nIn the next step, it has implemented its own base64 decoder to decode the allocated buffer and write it into another\r\nbuffer using memset and memmove. At the end, this encoded payload gets decrypted via XOR using hardcoded\r\ndecryption key to generate the second stage payload.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 8 of 18\n\nAfter the decryption process has finished, it jumps to the start address of the second payload to execute it.\r\nSecond stage payload Analysis\r\nThis payload is loaded into memory by AppStore.exe and has not been written to disk. It starts by performing an\r\ninitialization process which includes the following steps:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 9 of 18\n\nCreate Mutex: Checks if a mutex with “Microsoft32” name exist on machine or not and if it exists, it exits.\r\nOtherwise, It means the machine has not been infected with this RAT and it starts its malicious activities.\r\nResolve API calls: All important API calls have been base64 encoded and RC4 encrypted which will be\r\ndecoded and decrypted at run time. The key for RC4 decryption\r\nis “MicrosoftCorporationValidation@#$%^\u0026*()!US”.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 10 of 18\n\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 11 of 18\n\nMakes HTTP requests to command and control servers: The server addresses have been base64 encoded\r\nand encrypted using a custom encryption algorithm. You can find the decoder/decryptor here. This custom\r\nencryption algorithm is similar to the encryption algorithm used by BISTROMATH RAT associated to\r\nLazarus reported by US-CERT.\r\nhttp://mail.namusoft.kr/jsp/user/eam/board.jsp\r\nhttp://www.jinjinpig.co.kr/Anyboard/skin/board.php\r\nAfter the initialization process has finished, it checks if the communications to C\u0026C servers were successful or\r\nnot and if they were successful it goes to the next step in which it receives the commands from the server and\r\nperforms different actions based on the commands.\r\nThe commands received from the C\u0026C are base64 encoded and encrypted using its custom encryption algorithm\r\n(Figure 16). After deobfuscation, it performs the following commands based on the command codes. The\r\ncommunications to the server have been done through send and recv socket functions.\r\n8888: It tries to execute the command it has received after command code in two different ways. At first it\r\ntries to execute the command by creating a new thread (Figure 17). This thread gets the command after\r\ncommand code and executes it using cmd.exe. This process has been done through using CreatePipe and\r\nCreateProcessA. Then it uses ReadFile to read the output of cmd.exe.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 12 of 18\n\nOutput of cmd.exe has been encoded and encrypted and is sent to the server as test.gif using an HTTP POST\r\nrequest (Figure 18).\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 13 of 18\n\nIf the CreateThread process was not successful, it executes the command by calling WinExec and then sends the\r\n“”8888 Success!” message after encrypting it using its custom encryption and then encoding it using base64 to the\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 14 of 18\n\nserver as test.gif.\r\n1234: It calls CreateThread to execute the buffer(third stage payload) it received from the server. At the end\r\nit encodes and encrypts “1234 Success!” and sends it to the server as test.gif.\r\n2099: It creates a batch file and executes it and then exits. This batch file deletes the AppStore.exe from the\r\nvictim’s machine.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 15 of 18\n\n8877: It stores the buffer received from server in a file.\r\n1111: It calls The shutdown function to disables sends or receives on a socket.\r\nThis second stage payload has used custom encoded user agents for its communications. All of these user agents\r\nhave been base64 encoded and encrypted using the same custom encryption algorithm used to encrypt the server\r\naddresses. Here is the list of the different user agents used by this RAT.\r\nMozilla/%d.0 (compatible; MSIE %d.0; Windows NT %d.%d; WOW64; Trident/%d.0; Infopath.%d)\r\nMozilla/18463680.0 (compatible; MSIE -641.0; Windows NT 1617946400.-858993460; WOW64;\r\nTrident/-858993460.0; Infopath.-858993460)\r\nMozilla/18463680.0 (compatible; MSIE -641.0; Windows NT 1617946400.-858993460; Trident/-858993460.0;\r\nSLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0;\r\nInfopath.-858993460)\r\nMozilla/%d.0 (Windows NT %d.%d%s) AppleWebKit/537.%d (KHTML, like Gecko) Chrome/%d.0.%d.%d\r\nSafari/%d.%d Infopath.%d\r\nAttribution\r\nThere are several similarities between this attack and past Lazarus operations and we believe these are strong\r\nindicators to attribute this attack to the Lazarus threat actor.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 16 of 18\n\nThe second stage payload has used the similar custom encryption algorithm that has been used by\r\nBISTROMATH RAT associated to this APT.\r\nThe second stage payload has used a combination of base64 and RC4 for data obfuscation which is a\r\ncommon technique used by this APT.\r\nThe second stage payload used in this attack has some code similarities with some of known Lazarus\r\nmalware families including Destover.\r\nSending data and messages as a GIF to a server has been observed in past Lazarus operations\r\nincluding AppleJeus, Supply Chain attack against South Korea and the DreamJob operation.\r\nThis phishing attack has targeted South Korea which is one of the main targets of this actor.\r\nThe group is known to use Mshta.exe to run malicious scripts and download programs which is similar to\r\nwhat has been used in this attack.\r\nConclusion\r\nThe Lazarus threat actor is one of the most active and sophisticated North Korean threat actors that has targeted\r\nseveral countries including South Korea, the U.S. and Japan in the past couple of years. The group is known to\r\ndevelop custom malware families and use new techniques in its operations. In this blog we documented a spear\r\nphishing attack operated by this APT group that has targeted South Korea.\r\nThe actor has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA\r\nfile as a compressed zlib file within a PNG file that then has been decompressed during run time by converting\r\nitself to the BMP format. The dropped payload was a loader that decoded and decrypted the second stage payload\r\ninto memory. The second stage payload has the capability to receive and execute commands/shellcode as well as\r\nperform exfiltration and communications to a command and control server.\r\nIndicators of Compromise\r\nDocument\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 17 of 18\n\nF1EED93E555A0A33C7FEF74084A6F8D06A92079E9F57114F523353D877226D72\r\nDropped executable\r\nED5FBEFD61A72EC9F8A5EBD7FA7BCD632EC55F04BDD4A4E24686EDCCB0268E05\r\nCommand and control servers\r\njinjinpig[.]co[.]kr\r\nmail[.]namusoft[.]kr\r\nSource: https://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat\r\nPage 18 of 18\n\n https://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat     \nUpon enabling the macro, a message box will pop up and after clicking the final lure will be loaded.\n   Page 2 of 18  \n\n https://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat      \nIf the CreateThread process was not successful, it executes the command by calling WinExec and then sends the\n“”8888 Success!” message after encrypting it using its custom encryption and then encoding it using base64 to the\n   Page 14 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat"
	],
	"report_names": [
		"lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434656,
	"ts_updated_at": 1775791311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d3794eabf0197a7014f021654a1faf75d0080d77.pdf",
		"text": "https://archive.orkl.eu/d3794eabf0197a7014f021654a1faf75d0080d77.txt",
		"img": "https://archive.orkl.eu/d3794eabf0197a7014f021654a1faf75d0080d77.jpg"
	}
}