Lazarus’ DeathNote In Focus

Kaspersky recently put DeathNote under surveillance, one of the clusters belonging to the Lazarus cyberattack group.
 Lazarus’ DeathNote In Focus
READING NOW Lazarus’ DeathNote In Focus

Kaspersky recently put DeathNote under surveillance, one of the clusters belonging to the Lazarus cyberattack group.

Starting out in 2019 with attacks on crypto-related companies around the world, DeathNote has undergone a major transformation over the years. At the end of 2022, the group became responsible for targeted attacks affecting IT and defense companies in Europe, Latin America, South Korea and Africa.

Kaspersky’s latest report highlights the evolution and improvement of DeathNote’s tools, techniques and procedures over the past four years, as well as the change in objectives.

Kaspersky Reviews DeathNote

Kaspersky recently put DeathNote under surveillance, one of the clusters belonging to the Lazarus cyberattack group.

Notorious threat actor Lazarus has long been persistently targeting crypto-related businesses. While monitoring the activities of this threat actor, Kaspersky noticed the use of significantly modified malware in one case.

Kaspersky experts came across a suspicious document that was uploaded to VirusTotal in October 2019. Accordingly, the person who prepared the malware had activated fake documents related to the cryptocurrency. These included a survey about buying a particular cryptocurrency, guides to getting into a particular cryptocurrency, and login information to a Bitcoin mining company. The DeathNote campaign first targeted individuals and companies interested in cryptocurrency in Cyprus, the United States, Taiwan and Hong Kong.

However, Kaspersky observed a significant shift in the infection vectors of DeathNote in April 2020. Research has shown that the DeathNote cluster is targeting defense industry-related automotive companies and academic institutions in Eastern Europe. Meanwhile, the threat actor was busy replacing fake job description documents from defense industry contractors and diplomatic contacts. In addition, documents, each weaponized, were supported by open source PDF viewer software with Trojan horse feature, which was included in the infection chain by remote template injection technique, making the attack more powerful. Both of these infection methods resulted in the installation of the DeathNote downloader software, which was responsible for leaking the victim’s information.

In May 2021, Kaspersky realized that an IT company in Europe that provides network device and server monitoring solutions had been taken over by the DeathNote cluster. Also, in early June 2021, the Lazarus subgroup began using a new mechanism to infect targets in South Korea. What caught the researchers’ attention here was that the first stage of the malware was run by legitimate software that was widely used for security in South Korea.

Comments
Leave a Comment

Details
98 read
okunma62270
0 comments