Kaspersky has investigated DeathNote, a cell belonging to the infamous Lazarus group that has undergone a substantial transformation in recent years.
By the end of 2022, DeathNote was responsible for targeted campaigns against IT and defense companies in Europe, Latin America, South Korea, and Africa, beginning with cryptocurrency-related attacks in 2019. Kaspersky’s most recent report examines the evolution of DeathNote’s targets and the evolution of its tools, techniques, and procedures over the past four years.
The paper shows Lazarus’ DeathNote cluster’s move from crypto operations to defense with greater capabilities.
In April 2020, Kaspersky detected a variation in the infection methods of the DeathNote cluster. Using the remote template injection technique and Trojanized open-source PDF viewer software, the cluster targeted automotive and academic organizations in Eastern Europe associated with the defense industry.
Additionally, the actor shifted all fake documents pertaining to job descriptions from defense contractors to diplomatic ones. In May 2021, a European IT company was compromised, and at the beginning of June 2021, the Lazarus subgroup began using a new mechanism to infect South Korean targets.
In 2022, Kaspersky discovered that the cluster was responsible for attacks on a Latin American defense contractor using a Trojanized PDF reader, a crafted PDF file, and a side-loading technique delivered via Skype messenger. The cluster also effectively compromised an African defense contractor.
Antivirus software cannot identify the malware since it may adapt payloads to specific goals and targets.
Since its discovery in 2015, the DeathNote cluster has evolved substantially, with new modules and capabilities being added over time. Due to its capacity to customize payloads based on specific objectives and targets, the malware is highly effective at eluding detection by antivirus software.
Kaspersky advises retaining vigilance and taking proactive measures to defend against the nefarious activities of the Lazarus group.
To prevent targeted attacks, conduct cybersecurity audits, train employees in fundamental cybersecurity hygiene, obtain software only from reputable sources, employ EDR for timely incident detection and response, and adopt anti-fraud solutions to safeguard cryptocurrency transactions. Against targeted assaults, Kaspersky Managed Detection and Response provides threat hunting capabilities.