The North Korean menace actor recognised as Lazarus Team has been observed switching targets and refining their approaches as part of a campaign dubbed “DeathNote” by Kaspersky.
Describing the discovering in an advisory printed previously these days, Kaspersky’s senior security researcher Seongsu Park reported the team has been monitoring the marketing campaign, also regarded as Procedure DreamJob or NukeSped, since 2019.
“The malware author made use of decoy paperwork that have been relevant to the cryptocurrency enterprise, these kinds of as a questionnaire about getting unique cryptocurrency, an introduction to a precise cryptocurrency, and an introduction to a bitcoin mining corporation,” Park discussed.
Having said that, Kaspersky uncovered a sizeable shift in the attack’s targets as effectively as current an infection vectors in April 2020.
“Our analysis confirmed that the DeathNote cluster was used to concentrate on the automotive and academic sectors in Japanese Europe, both of those of which are connected to the defense sector,” reads the advisory. “At this position, the actor switched all the decoy files to occupation descriptions associated to protection contractors and diplomatic providers.”
The infection chain was also refined, relying not only on the remote template injection technique in weaponized documents but also on trojanized open up-source PDF viewer application.
In May well 2021, the DeathNote campaign then begun targeting an IT enterprise in Europe that presented answers for monitoring network equipment and servers and many targets in South Korea.
“One detail that caught our notice was that the original phase of the malware was executed by respectable security application that is greatly employed in South Korea,” Park said. “Almost one 12 months later on, in March 2022, we found out that the identical security method had been exploited to propagate identical downloader malware to several victims in South Korea.”
Go through additional on related attacks listed here: Lazarus Team Targets South Korean Finance Firm By means of Zero-Day Flaw
All-around the same time, Kaspersky also found out the identical backdoor was made use of to compromise a defense contractor in Latin The usa.
“In July 2022, we observed that the Lazarus group experienced correctly breached a defense contractor in Africa,” Park included. “This attack closely relied on the very same DLL aspect-loading method that we observed in the preceding situation. The payload that was initially implanted and executed by the PDF reader was dependable for collecting and reporting the victim’s details.”
Many thanks to the investigation into the DeathNote campaign, Kaspersky claimed it acquired comprehensive information and facts relating to the Lazarus Group’s article-exploitation tactic.
“Our assessment of the DeathNote cluster reveals a rapid evolution in its ways, methods and treatments over the yrs,” concluded Park. “By keeping knowledgeable and applying powerful security measures, corporations can cut down the risk of falling victim to this dangerous adversary.”
The Kaspersky advisory comes a few of months right after security scientists at WithSecure noted observing an “operational security mistake” by the Lazarus Team through an attack on specific analysis, medical and vitality sector corporations.
Some parts of this article are sourced from:
www.infosecurity-journal.com