New: Threat Exposure Validation Impact Report 2025
Learn More
Join our Summer Webinar Series on Threat Exposure Validation
Register Now

LolZarus: Lazarus Group Incorporating Lolbins into Campaigns

February 15, 2022

Phishing Documents Used in the Campaign

Two phishing documents named "Lockheed_Martin_JobOpportunities.docx" and "Salary_Lockheed_Martin_job_opportunities_confidential.doc" were detected in this campaign.

Initial Macro Execution via ActiveX

The initial entry point for the macro is via the ActiveX Frame1_Layout, which automatically executes once ActiveX control is enabled.

Use of WMVCORE.DLL and Thematic Obfuscation

The first macro starts by loading WMVCORE.DLL, a legitimate Windows DLL for Windows Media.
To make the macro appear more innocuous, Lazarus uses function names identical to the exported functions of WMVCORE.DLL and variable names thematically related to media playback.

The macro includes a check for a document variable before entering its main functionality block.
This variable is set at the end to prevent re-execution if the document is reopened.

Shellcode Delivery and Decoding Mechanism

The second stage payload is shellcode embedded as a base64-encoded string array inside the macro, decoded using CryptStringToBinaryW.

Other variants have used the UuidFromStringA function to decode the embedded payload and write it to an executable heap.

The decoded shellcode then overwrites the WMIsAvailableOffline function from WMVCORE.DLL by retrieving its address and changing its memory permissions.

KernelCallbackTable Hijack for Execution

Callback to the shellcode is achieved by retrieving the KernelCallbackTable pointer from the PEB structure of the current process via NtQueryInformationProcess.
The macro patches the _fnDWORD pointer to point to WMIsAvailableOffline.

As a result, whenever WinWord makes any graphical call, the shellcode executes.

Document Variable Check and Decoy Display

The macro sets a document variable again to prevent repeated execution of the shellcode and KernelCallbackTable hijack.
It also retrieves and displays a decoy document.

Persistent Beacon Setup and C2 Communication

The shellcode sets up a periodic beacon to:

https://markettrendingcenter[.]com/member[.]htm

It creates a new staging folder C:\WMAuthorization, writes a VBS file named WMVxEncd.vbs to it, and creates a scheduled task to run the VBS file every 20 minutes.

The beacon command is executed using the Wscript.Shell object named shellObj.