The North Korean menace actor regarded as Lazarus Group has been noticed switching targets and refining their techniques as part of a marketing campaign dubbed “DeathNote” by Kaspersky.
Describing the discovering in an advisory published previously today, Kaspersky’s senior security researcher Seongsu Park claimed the staff has been tracking the campaign, also recognized as Operation DreamJob or NukeSped, given that 2019.
“The malware author employed decoy documents that were associated to the cryptocurrency enterprise, these kinds of as a questionnaire about obtaining certain cryptocurrency, an introduction to a particular cryptocurrency, and an introduction to a bitcoin mining firm,” Park spelled out.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
On the other hand, Kaspersky uncovered a sizeable change in the attack’s targets as nicely as up-to-date an infection vectors in April 2020.
“Our analysis showed that the DeathNote cluster was utilised to focus on the automotive and academic sectors in Jap Europe, equally of which are related to the protection market,” reads the advisory. “At this position, the actor switched all the decoy files to task descriptions relevant to protection contractors and diplomatic providers.”
The infection chain was also refined, relying not only on the distant template injection method in weaponized paperwork but also on trojanized open up-resource PDF viewer software package.
In Might 2021, the DeathNote campaign then began targeting an IT organization in Europe that supplied remedies for monitoring network units and servers and various targets in South Korea.
“One detail that caught our notice was that the preliminary stage of the malware was executed by reputable security software that is extensively utilized in South Korea,” Park explained. “Almost just one 12 months later on, in March 2022, we discovered that the same security method experienced been exploited to propagate related downloader malware to a number of victims in South Korea.”
Study extra on comparable attacks listed here: Lazarus Team Targets South Korean Finance Company Via Zero-Day Flaw
About the very same time, Kaspersky also learned the very same backdoor was applied to compromise a defense contractor in Latin The usa.
“In July 2022, we noticed that the Lazarus group had productively breached a defense contractor in Africa,” Park added. “This attack heavily relied on the exact same DLL side-loading approach that we noticed in the preceding circumstance. The payload that was to begin with implanted and executed by the PDF reader was responsible for gathering and reporting the victim’s information and facts.”
Thanks to the investigation into the DeathNote campaign, Kaspersky said it received comprehensive data regarding the Lazarus Group’s article-exploitation strategy.
“Our assessment of the DeathNote cluster reveals a immediate evolution in its practices, procedures and methods around the a long time,” concluded Park. “By keeping informed and employing strong security measures, organizations can cut down the risk of slipping target to this perilous adversary.”
The Kaspersky advisory comes a couple of months immediately after security researchers at WithSecure claimed observing an “operational security mistake” by the Lazarus Group all through an attack on targeted study, healthcare and strength sector businesses.
Some pieces of this article are sourced from: