Lazarus Hacking Group Develops Tactics, Tools and Targets in the DeathNote Campaign
The North Korean threat actor known as the Lazarus Group has been observed shifting its focus and rapidly developing its tools and tactics as part of a long-term campaign called Death note.
While adversaries of nation-states are known for constantly picking on the cryptocurrency sector, recent attacks have also targeted the automotive, academic, and defense sectors in Eastern Europe and other parts of the world, which are considered “significant” pivots.
“At this point, the actor transferred all feed documents to job descriptions related to defense contractors and diplomatic services,” Kaspersky researcher Seongsu Park said in an analysis published Wednesday.
Deviations in targeting, along with updated use of infection vectors, are said to have occurred in April 2020. It should be noted that the DeathNote cluster is also being tracked under the names Operation Dream Job or NukeSped. Google’s Mandiant has also tied some activities to a group it calls UNC2970.
Phishing attacks directed against crypto businesses typically require a bitcoin mining themed decoy in an email message to entice potential targets to open macro-laced documents to drop Manuscrypt (aka NukeSped) backdoors on compromised machines.
The targeting of automotive and academic verticals relates to the broader Lazarus Group attacks on the defense industry, as documented by a Russian cybersecurity firm in October 2021, leading to the adoption of the BLINDINGCAN (aka AIRDRY or ZetaNile) and COPPERHEDGE implants.
In an alternative series of attacks, the threat actors use a trojanzied version of the official PDF reader application called SumatraPDF Reader to launch their malicious routines. The use of a rogue PDF reader application by the Lazarus Group was previously disclosed by Microsoft.
Targets of these attacks included an IT asset monitoring solutions vendor based in Latvia and a think tank located in South Korea, the latter of which led to the misuse of legitimate security software widely used in the country to execute payloads.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!
The twin attacks “point to the strike capability of the Lazarus building supply chain,” Kaspersky said at the time. The enemy crew has since been blamed for a supply chain attack aimed at enterprise VoIP service provider 3CX that was exposed last month.
Kaspersky said it discovered another attack in March 2022 that targeted multiple victims in South Korea by exploiting the same security software to deliver downloading malware capable of distributing backdoors as well as information thieves to harvest keystroke and clipboard data.
“The newly implanted backdoor is capable of executing payloads retrieved by named pipe communications,” said Park, adding it was also “responsible for collecting and reporting casualty information.”
Around the same time, the same backdoor is said to have been used to compromise defense contractors in Latin America using the DLL sideloading technique when opening a specially generated PDF file using a trojan PDF reader.
The Lazarus Group has also been linked to the successful break-in of another defense contractor in Africa last July in which a “suspicious PDF application” was sent via Skype to eventually drop a backdoor variant dubbed ThreatNeedle and another implant known as ForestTiger to extract data. .
“The Lazarus group are well-known and highly skilled threat actors,” said Park. “As the Lazarus group continues to refine its approach, it is critical that the organization maintain vigilance and take proactive actions to defend against its nefarious activities.”