Lazarus Group Unleashed 'DeathNote' Campaign on Defense Industry and Cryptocurrency Targets

Category: Threat Actor Activity | Industries: Defense, Financial Services, Technology | Level: Tactical | Source: Kaspersky

Tracking of DeathNote (aka Operation DreamJob or NukeSped) is a notorious threat campaign led by the North Korean threat group, Lazarus to distribute their DeathNote malware strain. Targets of the campaign have included financial service organizations specifically those associated with cryptocurrency as well as entities and contractors associated with defense. Kaspersky researcher Seongsu Park provided analysis of this cluster of Lazarus activity, sharing how the attribution of Lazarus' malicious Word document was discovered from a VirusTotal upload in October 2019, and was traced to an actor producing similar documents since October 2018. The document uploaded was structured as a questionnaire aimed at a cryptocurrency organization. Based on the activity, it aligns with reports of the DeathNote operation being active since at least early 2020. Behaviors exhibited from the infection procedure show the weaponized document containing a malicious macro to execute an embedded malware downloader. A trojanized application injects itself into a Windows service and connects itself to the attacker's command-and-control (C2) server.

Lazarus's campaign expanded in April 2020, with new infection techniques and incorporating defense organizations into their target profile. Their improved method of infection incorporated a remote template injection technique and also exploited Trojanized open-source PDF viewer software. These methods infect the victim's computer with the same malware (DeathNote downloader), which conducts system reconnaissance, drops additional malware payloads, and communicates with the attacker's C2. Kaspersky's report identified the further expansion of Lazarus's campaign in May 2021, to attack a technology company located in Europe, likely an attempt to initiate a supply-chain attack. Since then, Lazarus has continued to target and breached a defense contractor in July 2022. Post-exploitation behaviors found operators executing Windows reconnaissance commands in order to identify high-value targets prior to collecting credentials, moving laterally, and exfiltrating data of value to their C2.

Anvilogic Scenario:

• Recon to Credential Theft & Exfiltration

Anvilogic Use Cases:

• Account Discovery Commands - Windows
• Common LSASS Memory Dump Behavior
• Stored Credentials from Web Browsers - Windows

‍