A North Korean threat actor known as the Lazarus Group has been observed changing its targets and improving its techniques as part of a campaign dubbed “DeathNote” by Kaspersky.
Kaspersky Senior Security Researcher Seongsu Park explained the findings in an advisory released today, stating that the team has been tracking this campaign, also known as Operation DreamJob or NukeSped, since 2019.
“Malware authors used decoy documents related to the cryptocurrency business, such as surveys on purchasing specific cryptocurrencies, referrals to specific cryptocurrencies, and referrals to bitcoin mining companies,” explained Park. Did.
However, in April 2020, Kaspersky revealed a significant shift in attack targets and updated infection vectors.
“Our investigation found that the DeathNote cluster was used to target Eastern European automotive and academic sectors associated with the defense industry,” the advisory states. “At this point, the actor switched all decoy documents to job descriptions related to defense contractors and diplomatic services.”
The infection chain was also sophisticated, relying not only on remote template injection techniques into weaponized documents, but also on trojanized open-source PDF viewer software.
Then, in May 2021, the Death Note campaign was launched with various targets in South Korea and a European IT company that provides solutions for monitoring network devices and servers.
“What caught our attention was that the early stages of the malware were carried out by legitimate security software widely used in South Korea,” said Park. “Almost a year later, in March 2022, he discovered that the same security program had been exploited to spread a similar downloader his malware to multiple victims in South Korea.”
Read more about a similar attack here: Lazarus Group Targets South Korean Financial Firm Via Zero-Day Vulnerability
Around the same time, Kaspersky also discovered that the same backdoor was used to compromise a Latin American defense contractor.
“In July 2022, we confirmed the successful intrusion of the Lazarus Group into a defense contractor in Africa,” added Park. “This attack relied heavily on his DLL sideloading technique, the same one observed in previous cases. I had a role to report on.”
Kaspersky says it has gained extensive information about the Lazarus Group’s post-exploitation strategy thanks to its research into the DeathNote campaign.
“Our analysis of the DeathNote cluster revealed that tactics, techniques and procedures have evolved rapidly over the years,” Park said. Organizations can reduce the risk of falling victim to this dangerous adversary.”
Kaspersky’s advisory came months after the WithSecure security researchers reported it. Observing “Operational Security Mistakes”” Executed by the Lazarus Group during targeted attacks against organizations in the research, medical, and energy sectors.
