The infamous threat actor, Lazarus, has persistently targeted cryptocurrency-related businesses for a long time. While monitoring the actor’s activities, Kaspersky noticed that they employed a significantly changed malware in one case. In mid-October 2019, we came across a suspicious document uploaded to VirusTotal. The malware author used decoy documents that were related to the cryptocurrency business. These include a questionnaire on specific cryptocurrency purchasing, an introduction to a particular cryptocurrency, and an introduction to a bitcoin mining company. This was the first time the DeathNote campaign came into play, targeting individuals and companies involved in cryptocurrency in Cyprus, the United States, Taiwan and Hong Kong.
Timeline of the DeathNote cluster
However, in April 2020 Kaspersky saw a significant shift in the DeathNote’s infection vectors. Research revealed that the DeathNote cluster was employed in the targeting of the automotive and academic organizations in Eastern Europe linked to the defense industry. At this time, the actor switched all decoy documents related to job descriptions from defense contractors and diplomatic-related ones. Besides that, the actor elaborated its infection chain, using the remote template injection technique in their weaponized documents, and utilized Trojanized open-source PDF viewer software. Both of these methods of infection result in the same malware (DeathNote downloader), which is responsible for uploading the victim’s information.
In May 2021, Kaspersky observed that an IT company in Europe, which provides solutions for network device and server monitoring, was compromised by the DeathNote cluster. Moreover, in early June 2021, this Lazarus subgroup began utilizing a new mechanism to infect targets in South Korea. What caught the researchers’ attention was that the initial stage of the malware was executed by legitimate software, which is widely used for security in South Korea.
While monitoring DeathNote during 2022, Kaspersky researchers discovered that the cluster has been responsible for attacks on a defense contractor in Latin America. The initial infection vector was similar to what we've seen with other defense industry targets, involving the use of a Trojanized PDF reader with a crafted PDF file. However, in this particular case, the actor adopted a side-loading technique to execute the final payload.
In the ongoing campaign that was first discovered in July 2022, it was revealed that the Lazarus group had successfully breached a defense contractor in Africa. The initial infection was a suspicious PDF application, which had been sent via Skype messenger. Upon executing the PDF reader, it created both a legitimate file (CameraSettingsUIHost.exe) and malicious file (DUI70.dll) in the same directory.
“The Lazarus group is an infamous and highly skilled threat actor. Our analysis of the DeathNote cluster reveals a rapid evolution in its tactics, techniques, and procedures over the years. In this campaign, Lazarus isn’t confined to crypto-related business but has gone much further. It deploys both legitimate software and malicious files to compromise defense enterprises. As the Lazarus group continues to refine its approaches, it is crucial for organizations to maintain vigilance and take proactive measures to defend against its malicious activities,” comments Seongsu Park, lead security researcher, GReAT at Kaspersky.
To find out more about Lazarus’ DeathNote cluster, different stages of campaign and its TTPs, check the full report on Securelist.
To avoid falling victim to targeted attacks by known or unknown threat actors, Kaspersky researchers recommend implementing the following measures: