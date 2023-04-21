Kaspersky has announced the investigation into DeathNote, a cluster of the Lazarus group that over the years has evolved from attacks on the cryptocurrency sector to that of IT and defense. Starting in 2019 with attacks on global companies operating in the cryptocurrency sector, by the end of 2022, he was responsible for targeted campaigns that targeted IT companies and defense companies in Europe, Latin America, South Korea and Africa. Kaspersky’s latest report traces a change in DeathNote’s goals, as well as the development and refinement of tools, techniques and procedures over the past 4 years.

The first time Of DeathNote

The well-known threat actor, Lazarus, has been targeting cryptocurrency companies for a long time. Monitoring his activities, Kaspersky noticed that in one case he used modified malware. In mid-October 2019, experts indeed came across a document suspected uploaded to VirusTotal. The malware author used decoy documents that were related to the cryptocurrency business. These include a questionnaire on buying specific cryptocurrencies, an introduction to a particular cryptocurrency and a bitcoin mining company. This was the first time the DeathNote campaign got into the game, targeting individuals and businesses involved in cryptocurrencies in Cyprus, the US, Taiwan and Hong Kong.

Change the target

However, in April 2020 Kaspersky had noticed a significant change in the DeathNote infection vectors. Research has revealed that this cluster has been exploited to target Eastern European automotive and academia associations related to the defense industry. During this time, the plaintiff changed all decoy documents relating to the job descriptions of defense contractors and those relating to the diplomatic sphere. In addition, he has perfected his chain of infection, using the technique of injecting remote models into the offending documents. And he used a trojan-like open-source PDF viewer software. Both of these infection methods lead to the same malware (DeathNote downloader), which is responsible for transferring the victim’s information.

How DeathNote is evolving

In May 2021, Kaspersky observed that a European IT company, which provides solutions for monitoring network devices and servers, was compromised by DeathNote. Furthermore, in early June 2021, this subgroup of Lazarus began using a new mechanism to infect targets in South Korea. What caught the attention of researchers is that the initial stage of the malware was executed by legitimate software, used for security in South Korea.

And edited PDF file

By monitoring DeathNote throughout 2022, Kaspersky researchers discovered that the cluster was responsible for attacks on a defense service provider in Latin America. The initial infection vector was similar to that already seen for other targets in the same sector. It involved using a trojan-type PDF reader with a modified PDF file. However, in this case, the actor has adopted a side-loading technique to perform the payload finale.

How it works DeathNote

In the ongoing campaign, first discovered in July 2022, the Lazarus Group was revealed to have successfully hacked a defense contractor in Africa. The initial infection was a suspicious PDF application sent via Skype Messenger. Once run, the PDF reader created a legitimate file (CameraSettingsUIHost.exe) and a malicious file (DUI70.dll) in the same directory.

Beyond encryption, how DeathNote is evolving

Seongsu Park, Lead Security Researcher, GReAT di Kaspersky

The Lazarus Group is a well-known and highly skilled threat actor. Our analysis of the DeathNote cluster reveals a rapid evolution of its tactics, techniques and procedures over the years. In this campaign, Lazarus is not limited to crypto-related activities, it has gone far beyond that. It uses both legitimate software and malicious files to compromise defense companies. As the Lazarus Group continues to refine its approaches, it is imperative that organizations pay attention and take proactive steps to defend themselves.

How DeathNote, cluster of the Lazarus group, is evolving

To protect yourself against such attacks from known or unknown actors, Kaspersky researchers recommend:

perform a cybersecurity audit and constantly monitor networks to correct any weaknesses or malicious elements.

Provide your staff with basic training on cybersecurity. In fact, many targeted attacks start with phishing or other social engineering techniques.

Detect fast the accidents