Evolution of Lazarus’ DeathNote Cluster: from Cryptocurrency Attacks to Defense Sector

The infamous threat actor, Lazarus, has persistently targeted cryptocurrency-related businesses for a long time. While monitoring the actor’s activities, Kaspersky noticed that they employed a significantly changed malware in one case. In mid-October 2019, we came across a suspicious document uploaded to VirusTotal. The malware author used decoy documents that were related to the cryptocurrency business. These include a questionnaire on specific cryptocurrency purchasing, an introduction to a particular cryptocurrency, and an introduction to a bitcoin mining company. This was the first time the DeathNote campaign came into play, targeting individuals and companies involved in cryptocurrency in Cyprus, the United States, Taiwan and Hong Kong.

Timeline of the DeathNote cluster

However, in April 2020 Kaspersky saw a significant shift in the DeathNote’s infection vectors. Research revealed that the DeathNote cluster was employed in the targeting of the automotive and academic organizations in Eastern Europe linked to the defense industry. At this time, the actor switched all decoy documents related to job descriptions from defense contractors and diplomatic-related ones. Besides that, the actor elaborated its infection chain, using the remote template injection technique in their weaponized documents, and utilized Trojanized open-source PDF viewer software. Both of these methods of infection result in the same malware (DeathNote downloader), which is responsible for uploading the victim’s information.

In May 2021, Kaspersky observed that an IT company in Europe, which provides solutions for network device and server monitoring, was compromised by the DeathNote cluster. Moreover, in early June 2021, this Lazarus subgroup began utilizing a new mechanism to infect targets in South Korea. What caught the researchers’ attention was that the initial stage of the malware was executed by legitimate software, which is widely used for security in South Korea. 

While monitoring DeathNote during 2022, Kaspersky researchers discovered that the cluster has been responsible for attacks on a defense contractor in Latin America. The initial infection vector was similar to what we've seen with other defense industry targets, involving the use of a Trojanized PDF reader with a crafted PDF file. However, in this particular case, the actor adopted a side-loading technique to execute the final payload. 

In the ongoing campaign that was first discovered in July 2022, it was revealed that the Lazarus group had successfully breached a defense contractor in Africa. The initial infection was a suspicious PDF application, which had been sent via Skype messenger. Upon executing the PDF reader, it created both a legitimate file (CameraSettingsUIHost.exe) and malicious file (DUI70.dll) in the same directory.

 “The Lazarus group is an infamous and highly skilled threat actor. Our analysis of the DeathNote cluster reveals a rapid evolution in its tactics, techniques, and procedures over the years. In this campaign, Lazarus isn’t confined to crypto-related business but has gone much further. It deploys both legitimate software and malicious files to compromise defense enterprises. As the Lazarus group continues to refine its approaches, it is crucial for organizations to maintain vigilance and take proactive measures to defend against its malicious activities,” comments Seongsu Park, lead security researcher, GReAT at Kaspersky. 

Dipesh Kaura,General Manager,South Asia at Kaspersky said,“We have been tracking the Lazarus group's activities for many years, and the DeathNote cluster is a significant part of their cyber-espionage toolkit. Since our initial discovery of this malware in 2015, we have observed a steady evolution of the DeathNote cluster, with new modules and capabilities added over time. One of the most notable features of this malware is its ability to customize payloads based on specific objectives and targets, which makes it highly effective in evading detection by antivirus software. Additionally, using encryption and other advanced techniques allows the Lazarus group to maintain a persistent presence in targeted networks and to exfiltrate sensitive data without detection.Adopting an anti-fraud solution may secure Bitcoin transactions by identifying and preventing account theft, unconfirmed transactions, and money laundering. Our EDR solution offers quick incident identification and response to emerging threats. Kaspersky Managed Detection and Response deliver threat-hunting capabilities against targeted assaults and a proven track record of effective targeted attack research ensure continuous defense against even the most complex threats”

To find out more about Lazarus’ DeathNote cluster, different stages of campaign and its TTPs, check the full report on Securelist.

To avoid falling victim to targeted attacks by known or unknown threat actors, Kaspersky researchers recommend implementing the following measures:

• Carry out a cybersecurity audit and monitor your networks constantly to rectify any weaknesses or malicious elements discovered in the perimeter or inside the network.

• Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.

• Educate your employees to download software and mobile apps only from trusted sources and official app stores.

• Use EDR product to enable timely incident detection and response to advanced threats. A service such as Kaspersky Managed Detection and Response provides threat hunting capabilities against targeted attacks.  

• Adopt an anti-fraud solution that can protect cryptocurrency transactions by detecting and preventing account theft, unverified transactions and money laundering.