Lazarus Hacker Group Evolves Tactics, Tools, and Targets in DeathNote Campaign
14.4.23 Hacking The Hacker News
The North Korean threat actor known as the Lazarus Group has been observed shifting its focus and rapidly evolving its tools and tactics as part of a long-running campaign called DeathNote.
While the nation-state adversary is known for persistently singling out the cryptocurrency sector, recent attacks have also targeted automotive, academic, and defense sectors in Eastern Europe and other parts of the world, in what's perceived as a "significant" pivot.
"At this point, the actor switched all the decoy documents to job descriptions related to defense contractors and diplomatic services," Kaspersky researcher Seongsu Park said in an analysis published Wednesday.
The deviation in targeting, along with the use of updated infection vectors, is said to have occurred in April 2020. It's worth noting that the DeathNote cluster is also tracked under the monikers Operation Dream Job or NukeSped. Google-owned Mandiant has also tied a subset of the activity to a group it calls UNC2970.
The phishing attacks directed against crypto businesses typically entail using bitcoin mining-themed lures in email messages to entice potential targets into opening macro-laced documents in order to drop the Manuscrypt (aka NukeSped) backdoor on the compromised machine.
The targeting of the automotive and academic verticals is tied to Lazarus Group's broader attacks against the defense industry, as documented by the Russian cybersecurity firm in October 2021, leading to the deployment of BLINDINGCAN (aka AIRDRY or ZetaNile) and COPPERHEDGE implants.
In an alternative attack chain, the threat actor employed a trojanzied version of a legitimate PDF reader application called SumatraPDF Reader to initiate its malicious routine. The Lazarus Group's use of rogue PDF reader apps was previously revealed by Microsoft.
The targets of these attacks included an IT asset monitoring solution vendor based in Latvia and a think tank located in South Korea, the latter of which entailed the abuse of legitimate security software that's widely used in the country to execute the payloads.
The twin attacks "point to Lazarus building supply chain attack capabilities," Kaspersky noted at the time. The adversarial crew has since been blamed for the supply chain attack aimed at enterprise VoIP service provider 3CX that came to light last month.
Kaspersky said it discovered another attack in March 2022 that targeted several victims in South Korea by exploiting the same security software to deliver downloader malware capable of distributing a backdoor as well as an information stealer for harvesting keystroke and clipboard data.
"The newly implanted backdoor is capable of executing a retrieved payload with named-pipe communication," Park said, adding it's also "responsible for collecting and reporting the victim's information."
Around the same time, the same backdoor is said to have been utilized to compromise a defense contractor in Latin America using DLL side-loading techniques upon opening a specially-crafted PDF file using a trojanized PDF reader.
The Lazarus Group has also been linked to a successful breach of another defense contractor in Africa last July in which a "suspicious PDF application" was sent over Skype to ultimately drop a variant of a backdoor dubbed ThreatNeedle and another implant known as ForestTiger to exfiltrate data.
"The Lazarus group is a notorious and highly skilled threat actor," Park said. "As the Lazarus group continues to refine its approaches, it is crucial for organizations to maintain vigilance and take proactive measures to defend against its malicious activities."