Lazarus Group's DeathNote Campaign Reveals Shift in Targets

Written by

The North Korean threat actor known as Lazarus Group has been observed changing targets and refining their techniques as part of a campaign dubbed “DeathNote” by Kaspersky.

Describing the finding in an advisory published earlier today, Kaspersky’s senior security researcher Seongsu Park said the team has been tracking the campaign, also known as Operation DreamJob or NukeSped, since 2019.

“The malware author used decoy documents that were related to the cryptocurrency business, such as a questionnaire about buying specific cryptocurrency, an introduction to a specific cryptocurrency, and an introduction to a bitcoin mining company,” Park explained.

However, Kaspersky uncovered a significant shift in the attack’s targets as well as updated infection vectors in April 2020.

“Our research showed that the DeathNote cluster was used to target the automotive and academic sectors in Eastern Europe, both of which are connected to the defense industry,” reads the advisory. “At this point, the actor switched all the decoy documents to job descriptions related to defense contractors and diplomatic services.”

The infection chain was also refined, relying not only on the remote template injection technique in weaponized documents but also on trojanized open-source PDF viewer software.

In May 2021, the DeathNote campaign then started targeting an IT company in Europe that provided solutions for monitoring network devices and servers and various targets in South Korea.

“One thing that caught our attention was that the initial stage of the malware was executed by legitimate security software that is widely used in South Korea,” Park said. “Almost one year later, in March 2022, we discovered that the same security program had been exploited to propagate similar downloader malware to several victims in South Korea.”

Read more on similar attacks here: Lazarus Group Targets South Korean Finance Firm Via Zero-Day Flaw

Around the same time, Kaspersky also discovered the same backdoor was used to compromise a defense contractor in Latin America.

“In July 2022, we observed that the Lazarus group had successfully breached a defense contractor in Africa,” Park added. “This attack heavily relied on the same DLL side-loading technique that we observed in the previous case. The payload that was initially implanted and executed by the PDF reader was responsible for collecting and reporting the victim’s information.”

Thanks to the investigation into the DeathNote campaign, Kaspersky said it gained extensive information regarding the Lazarus Group’s post-exploitation strategy.

“Our analysis of the DeathNote cluster reveals a rapid evolution in its tactics, techniques and procedures over the years,” concluded Park. “By staying informed and implementing strong security measures, organizations can reduce the risk of falling victim to this dangerous adversary.”

The Kaspersky advisory comes a couple of months after security researchers at WithSecure reported observing an “operational security mistake by the Lazarus Group during an attack on targeted research, medical and energy sector organizations.

What’s hot on Infosecurity Magazine?