By GoldSparrow in Malware

The Lazarus APT (Advanced Persistent Threat) is a notorious hacking group, which originates from North Korea. It is widely believed that their criminal activities are sponsored by the North Korean state. They have a large arsenal of hacking tools, among which is the Bitsran Trojan-dropper. This hacking tool appears to serve as a first-stage payload, which is meant to weaken the system's security measures so that the attackers can plant more malware.

Malware researchers believe that the authors of the Bitsran Trojan-dropper may be using '. LNK' files or Microsoft Office documents in the shape of an attachment to an email to propagate this threat. As soon as the Bitsran dropper manages to infiltrate a computer, it will place all its files in the %TEMP% folder located in the Windows directory. Next, the Bitsran dropper will gain persistence by tampering with the Windows Registry on the compromised host. This ensures that the Bitsran Trojan dropper is ran every time the system is rebooted.

The Bitsran dropper is able to detect the presence of anti-malware applications on the infiltrated machine. If the threat detects any processes linked to anti-virus tools, it will attempt to kill them. Bitsran uses an interesting technique to obfuscate its payload. The primary executable of the dropper, 'bitstran.exe,' has a BMP (image file) embed into it. The image is meaningless, but the file has additional data nested into it - this is the place from which Bitsran fetches the main payload and proceeds to unpack and execute it. It appears that the main purpose of the Bitsran Trojan dropper is to plant the Hermes Ransomware on the infected computers.

Users need to remember to keep all their software up to date and use a reputable anti-malware tool to protect their systems and their data from threats like the Bitsran dropper.

Related Posts


Most Viewed