LolZarus: Lazarus Group Incorporating Lolbins into Campaigns
Phishing Documents Used in the Campaign
Two phishing documents named "Lockheed_Martin_JobOpportunities.docx" and "Salary_Lockheed_Martin_job_opportunities_confidential.doc" were detected in this campaign.
Initial Macro Execution via ActiveX
The initial entry point for the macro is via the ActiveX Frame1_Layout, which automatically executes once ActiveX control is enabled.
Use of WMVCORE.DLL and Thematic Obfuscation
The first macro starts by loading WMVCORE.DLL, a legitimate Windows DLL for Windows Media.
To make the macro appear more innocuous, Lazarus uses function names identical to the exported functions of WMVCORE.DLL and variable names thematically related to media playback.
The macro includes a check for a document variable before entering its main functionality block.
This variable is set at the end to prevent re-execution if the document is reopened.
Shellcode Delivery and Decoding Mechanism
The second stage payload is shellcode embedded as a base64-encoded string array inside the macro, decoded using CryptStringToBinaryW.
Other variants have used the UuidFromStringA function to decode the embedded payload and write it to an executable heap.
The decoded shellcode then overwrites the WMIsAvailableOffline function from WMVCORE.DLL by retrieving its address and changing its memory permissions.
KernelCallbackTable Hijack for Execution
Callback to the shellcode is achieved by retrieving the KernelCallbackTable pointer from the PEB structure of the current process via NtQueryInformationProcess.
The macro patches the _fnDWORD pointer to point to WMIsAvailableOffline.
As a result, whenever WinWord makes any graphical call, the shellcode executes.
Document Variable Check and Decoy Display
The macro sets a document variable again to prevent repeated execution of the shellcode and KernelCallbackTable hijack.
It also retrieves and displays a decoy document.
Persistent Beacon Setup and C2 Communication
The shellcode sets up a periodic beacon to:
https://markettrendingcenter[.]com/member[.]htm
It creates a new staging folder C:\WMAuthorization
, writes a VBS file named WMVxEncd.vbs to it, and creates a scheduled task to run the VBS file every 20 minutes.
The beacon command is executed using the Wscript.Shell object named shellObj
.