The North Korean group known as Lazarus Group he has been observed shifting his focus and rapidly evolving his equipment and tactics as part of a long-term campaign called the DeathNote.
The Lazarus Group (or Lazarus group, whatever you prefer) is not new: we have already talked about it previously.
While this group is known for hacking into the cryptocurrency sector, recent attacks have even targeted the automotive, academic and defense sectors in Eastern Europe and other parts of the world, in what is perceived as a “significant” shift in attitude and “attack” of the group.
Lazarus Group: what they do and what their goals are
“At this point, the author [o gli autori, il Lazarus group] changed all decoy documents into job descriptions related to defense contractors and diplomatic services“, has said Kaspersky researcher Seongsu Park in an analysis published Wednesday.
The targeting deviation (cryptojacking), along with the use of up-to-date infection vectors, appears to have occurred in April 2020. It is worth noting that the DeathNote cluster is also monitored under the names Operation Dream Job or NukeSped. Google-owned Mandiant has also tied a subcategory of the business to a group it calls UNC2970.
Phishing attacks targeting cryptocurrency companies usually involve using bitcoin mining-themed lures in email messages to invite potential targets to open documents with macros to bring down the backdoor manuscrypt (aka NukeSped) on the compromised machine.
The targeting of the automotive and academic sectors is related to the broader attacks by the Lazarus group on the defense industry, as documented by the Russian cybersecurity company in October 2021, which led to the distribution of the BLINDINGCAN (aka AIRDRY or ZetaNile) implants and COPPERHEDGE.
In another attack by the Lazarus Group, the group employed a trojaned version of a legitimate PDF reader application called SumatraPDF Reader to launch its malicious routine. The Lazarus Group’s use of unauthorized PDF reader applications has previously been revealed from Microsoft.
The targets of these attacks included a Latvia-based vendor of IT asset monitoring solutions and a think tank located in South Korea, the latter involving the abuse of legitimate security software widely used in the country to execute the payloads .
The two attacksthey detect the ability of the Lazarus to create supply chain attacks“, has observed Kaspersky at that time; the Lazarus Group was later blamed for the supply chain attack targeting enterprise VoIP service provider 3CX that came to light last month.
What else do we know about the lazarus group?
Kaspersky said it discovered another attack in March 2022 that targeted multiple individuals in South Korea by leveraging the same security software to distribute the malware downloader that could provide a backdoor and information-stealing tool, al order to collect information on keyboards and notes.
“The new backdoor implemented is capable of executing a recovered payload with named pipe communication“said Park, adding that it is also “responsible for collecting and reporting victim information“.
Around the same time, the same backdoor was reportedly used to compromise a defense contractor in Latin America by using side-loading DLL techniques upon opening a specially created PDF file with a trojanized PDF reader.
The Lazarus has also been linked to the successful breach of another defense contractor in Africa last July, in which a “suspicious PDF program” on Skype to finally download a variant of a backdoor called ThreatNeedle and another tool known as ForestTiger to exfiltrate data.
“The Lazarus Group is a well-known and highly skilled threat actor“Park said. “As Lazarus Group continues to refine its approaches, it is imperative that organizations maintain vigilance and take preventive measures to defend against its malicious activities.”
#Lazarus #Group #North #Korean #hacker #group #strikes