Lazarus group targets new sectors with evolving tactics
The notorious North Korean threat group, the Lazarus Group, has shifted its focus and updated its tactics as part of a campaign called DeathNote, according to cybersecurity firm Kaspersky. While the group is best known for targeting the cryptocurrency sector, its recent attacks have expanded to include the automotive, academic, and defense sectors in Eastern Europe and elsewhere.
Seongsu Park, a Kaspersky researcher, explained that “at this point, the actor switched all the decoy documents to job descriptions related to defense contractors and diplomatic services.”
The DeathNote cluster is also known as Operation Dream Job or NukeSped and has been tracked by other firms, including Google-owned Mandiant. The phishing attacks typically use bitcoin-themed lures to encourage potential victims to open macro-laced documents, which then drop the Manuscrypt (aka NukeSped) backdoor onto the compromised machine.
Kaspersky also noted that the Lazarus Group had deployed a trojanized version of a legitimate PDF reader called SumatraPDF Reader to initiate its malicious routine. The group’s use of rogue PDF readers has been previously revealed by Microsoft.
Kaspersky said it had discovered another attack in March 2022 that targeted victims in South Korea by exploiting security software to deliver downloader malware capable of distributing a backdoor and stealing information. In addition, the group was able to compromise a defense contractor in Latin America by using DLL side-loading techniques after the victim opened a trojanized PDF file.
Lazarus has also been targeting the automotive and academic sectors in its recent cyberattacks, according to a report by Kaspersky. It says that these attacks are part of the group’s larger campaign against the defense industry.
Kaspersky revealed that the group deployed BLINDINGCAN (aka AIRDRY or ZetaNile) and COPPERHEDGE implants to carry out these attacks. In one instance, the group used a trojanized version of a legitimate PDF reader called SumatraPDF Reader to initiate its malicious routine. Microsoft had previously revealed the group’s use of rogue PDF reader apps.
The targets of these attacks included an IT asset monitoring solution vendor based in Latvia and a think tank in South Korea. The group also abused legitimate security software widely used in South Korea to execute the payloads.
Kaspersky also discovered another attack in March 2022 that targeted several victims in South Korea by exploiting the same security software to deliver downloader malware capable of distributing a backdoor and an information stealer for harvesting keystroke and clipboard data.
The sources for this piece include an article in TheHackerNews.