Lazarus Hacker Group Evolves Tactics, Tools, and Targets in DeathNote Campaign

Apr 13, 2023Ravie LakshmananCyber Attack / Cyber Threat

The North Korean threat actor known as the Lazarus Group has
been observed shifting its focus and rapidly evolving its tools and
tactics as part of a long-running activity called
DeathNote.

While the nation-state adversary is known for its persistent
attacks on the cryptocurrency sector, it has also targeted
automotive, academic, and defense sectors in Eastern Europe and
other parts of the world, in what’s perceived as a “significant”
pivot.

“At this point, the actor switched all the decoy documents to
job descriptions related to defense contractors and diplomatic
services,” Kaspersky researcher Seongsu Park said^[1]
in an analysis published Wednesday.

The deviation in targeting, along with the use of updated
infection vectors, is said to have occurred in April 2020. It’s
worth noting that the DeathNote cluster is also tracked under the
monikers Operation Dream Job^[2]
or NukeSped^[3]. Google-owned Mandiant
also tied a subset of the activity to a group it calls UNC2970^[4].

The phishing attacks directed against crypto businesses
typically entail using bitcoin mining-themed lures in email
messages to entice potential targets into opening macro-laced
documents in order to drop the Manuscrypt^[5]
(aka NukeSped) backdoor on the compromised machine.

The targeting of the automotive and academic verticals is tied
to Lazarus Group’s broader attacks against the defense industry, as
documented^[6]
by the Russian cybersecurity firm in October 2021, leading to the
deployment of BLINDINGCAN^[7]
(aka AIRDRY^[8]
or ZetaNile) and COPPERHEDGE implants.

In an alternative attack chain, the threat actor employed a
trojanzied version of a legitimate PDF reader application called
SumatraPDF Reader to initiate its malicious routine. The Lazarus
Group’s use of rogue PDF reader apps was previously revealed^[9]
by Microsoft.

The targets of these attacks included an IT asset monitoring
solution vendor based in Latvia and a think tank located in South
Korea, the latter of which entailed the abuse of legitimate
security software that’s widely used in the country to execute the
payloads.

The twin attacks “point to Lazarus building supply chain attack
capabilities,” Kaspersky noted at the time. The adversarial crew
has since been blamed^[11] for the supply chain
attack aimed at enterprise VoIP service provider 3CX that came to
light last month.

Kaspersky said it discovered another attack in March 2022 that
targeted several victims in South Korea by exploiting the same
security software to deliver downloader malware capable of
delivering a backdoor as well as an information stealer for
harvesting keystroke and clipboard data.

“The newly implanted backdoor is capable of executing a
retrieved payload with named-pipe communication,” Park said, adding
it’s also “responsible for collecting and reporting the victim’s
information.”

Around the same time, the same backdoor is said to have been
utilized to breach a defense contractor in Latin America using DLL
side-loading techniques upon opening a specially-crafted PDF file
using a trojanized PDF reader.

The Lazarus Group has also been linked to a successful breach of
another defense contractor in Africa last July in which a
“suspicious PDF application” was sent over Skype to ultimately drop
a variant of a backdoor dubbed ThreatNeedle^[12] and another implant
known as ForestTiger to exfiltrate data.

“The Lazarus group is a notorious and highly skilled threat
actor,” Park said. “As the Lazarus group continues to refine its
approaches, it is crucial for organizations to maintain vigilance
and take proactive measures to defend against its malicious
activities.”