The evolution of Lazarus’ DeathNote cluster

Kaspersky recently investigated DeathNote – one of the clusters that belongs to the infamous Lazarus group – and which has transformed dramatically over the years, beginning in 2019 with attacks on cryptocurrency-related businesses worldwide.

By the end of 2022, it was responsible for targeted campaigns that affected IT companies and defence companies in Europe, Latin America, South Korea, and Africa.

The latest report by Kaspersky tracks a shift in DeathNote’s targets, as well as the development and refinement of their tools, techniques, and procedures during the last four years.

The infamous threat actor, Lazarus, has persistently targeted cryptocurrency-related businesses for a long time. While monitoring the actor’s activities, Kaspersky noticed that they employed a significantly changed malware in one case.

In mid-October 2019, Kaspersky experts came across a suspicious document uploaded to VirusTotal. The malware author used decoy documents that were related to the cryptocurrency business. These include a questionnaire on specific cryptocurrency purchasing, an introduction to a particular cryptocurrency, and an introduction to a bitcoin mining company. This was the first time the DeathNote campaign came into play, targeting individuals and companies involved in cryptocurrency in Cyprus, the US, Taiwan, and Hong Kong.

However, in April 2020, Kaspersky saw a significant shift in DeathNote’s infection vectors. Research revealed that the DeathNote cluster was employed in the targeting of the automotive and academic organisations in Eastern Europe linked to the defence industry.

At this time, the actor switched all decoy documents related to job descriptions from defence contractors and diplomatic-related ones. Besides that, the actor elaborated its infection chain, using the remote template injection technique in their weaponised documents, and utilised Trojanised open-source PDF viewer software. Both of these methods of infection result in the same malware (DeathNote downloader), which is responsible for uploading the victim’s information.

In May 2021, Kaspersky observed that an IT company in Europe, which provides solutions for network device and server monitoring, was compromised by the DeathNote cluster. Moreover, in early June 2021, this Lazarus subgroup began utilising a new mechanism to infect targets in South Korea. What caught the researchers’ attention was that the initial stage of the malware was executed by legitimate software, which is widely used for security in South Korea.

While monitoring DeathNote during 2022, Kaspersky researchers discovered that the cluster has been responsible for attacks on a defence contractor in Latin America. The initial infection vector was similar to what has been the case with other defence industry targets, involving the use of a Trojanised PDF reader with a crafted PDF file. However, in this particular case, the actor adopted a side-loading technique to execute the final payload.

In an ongoing campaign that was first discovered in July 2022, it was revealed that the Lazarus group had successfully breached a defence contractor in Africa. The initial infection was a suspicious PDF application which had been sent via Skype messenger. Upon executing the PDF reader, it created both a legitimate file (CameraSettingsUIHost.exe) and malicious file (DUI70.dll) in the same directory.

“The Lazarus group is an infamous and highly skilled threat actor,” says Seongsu Park, lead security researcher, GReAT at Kaspersky. “Our analysis of the DeathNote cluster reveals a rapid evolution in its tactics, techniques, and procedures over the years. In this campaign, Lazarus isn’t confined to crypto-related business, but has gone much further. It deploys both legitimate software and malicious files to compromise defence enterprises.

“As the Lazarus group continues to refine its approaches, it is crucial for organisations to maintain vigilance and take proactive measures to defend against its malicious activities,” Park adds.