An operation within North Korea's notorious Lazarus Group that initially focused solely on coin-mining attacks has begun targeting defense sector organizations around the world.

The DeathNote cluster's shift in focus began in 2020 with attacks on automotive and academic organizations in Eastern Europe linked to the defense industry. Researchers from Kaspersky that have been tracking DeathNote's activities found the Lazarus subgroup following up on that attack with subsequent campaigns on defense and defense-related companies in Europe, Latin America, Africa, and South Korea.

An Ongoing RAT Campaign

Kaspersky observed DeathNote engaged in two campaigns against defense companies in 2022 alone. One of them is still ongoing and involves a defense sector organization in Africa. The security vendor discovered the campaign last July and found DeathNote initially breached the company via a Trojanized, open source PDF reader sent via Skype messenger. Once executed, the PDF reader created a legitimate file and a malicious file in the same directory on the infected machine. 

It then used a technique known as DLL side loading to install malware for stealing system information and downloaded a sophisticated second-stage remote access trojan (RAT) called Copperhedge from an attacker-controlled command-and-control server (C2). Copperhedge is malware that Lazarus Group clusters have used in other attacks, including one against a South Korean IT company in 2021.

Kaspersky's analysis of the attack showed the malware using numerous legitimate Windows commands and tools such as Mimikatz for everything from initial reconnaissance on a compromised host system and acquiring login credentials, to lateral movement and exfiltration. To acquire basic system info, for instance, the malware used Windows commands to find TCP and system info, or to query the saved server list from the registry.

To move laterally, the actor used a technique called ServiceMove which leverages Windows Perception Simulation Service to load arbitrary DLL files, Kaspersky said. "When the group completed its mission and began exfiltrating data, they mostly utilized the WinRAR utility to compress files and transmit them via C2 communication channels."

The tactics, techniques, and procedures (TTPs) that DeathNote employed in its campaign against the defense contractor in Africa were similar to those that Kaspersky observed in another 2022 campaign that hit a defense company in Latin America.

A Broadening Range of Cyber Targets

Kaspersky security researcher Seongsu Park says DeathNote's evolution from cryptocurrency mining attacks to defense sector espionage is consistent with the Lazarus Group's efforts to broaden its target list over the years.

"While they primarily attacked the defense sector in the past, as we recently published, they have also targeted think tanks and the medical sector," he explains. "This demonstrates the group's wide range of targets."

Lazarus Group, which many believe is an advanced persistent threat (APT) affiliated with the North Korean government, first grabbed attention with a 2014 attack on Sony Pictures over a satirical movie about North Korean leader Kim Jong-un. Over the years, researchers have tied the group to numerous other high-profile attacks, including the WannaCry ransomware outbreak, attacks that drained tens of millions of dollars from banks in Bangladesh, and attacks on major cryptocurrency companies.

The DeathNote cluster is just one of at least seven separate Lazarus malware clusters that are currently active. The others, according to Kaspersky, are ThreatNeedle, Bookcode, AppleJeus, Mata, CookieTime, and Manuscrypt. The Lazarus group operates several clusters simultaneously and each of these clusters operates in a sophisticated manner, using its own malware toolkit with sometimes overlapping features, Park says.

"Each of their clusters changes targets from time to time," Park notes. "We have observed that other clusters, for example, CookieTime and Bookcode, belonging to the Lazarus group, have also targeted the defense industry before."

DeathNote's typical TTPs have included using spear-phishing emails with weaponized Word or PDF reader apps. During the days when the cluster focused on coin mining, it used cryptocurrency-themed lures to try and get victims to execute the initial infection vector. Since switching to defense targets, the cluster has been using defense themed lures — including those that purport to be job advertisements — as phishing lures. Kaspersky said it found DeathNote only dropping the second-stage payload on systems belonging to victims it deemed valuable from a cyberespionage standpoint.

For the moment at least DeathNote's campaigns targeting the defense sector have not affected US organizations.