Kaspersky recently put DeathNote under surveillance, one of the clusters belonging to the Lazarus cyberattack group.
Starting out in 2019 with attacks on crypto-related companies around the world, DeathNote has undergone a major transformation over the years. At the end of 2022, the group became responsible for targeted attacks affecting IT and defense companies in Europe, Latin America, South Korea and Africa.
Kaspersky’s latest report highlights the evolution and improvement of DeathNote’s tools, techniques and procedures over the past four years, as well as the change in goals.
Kaspersky Reviews DeathNote
Kaspersky recently put DeathNote under surveillance, one of the clusters belonging to the Lazarus cyberattack group.
Notorious threat actor Lazarus has long been persistently targeting crypto-related businesses. While monitoring the activities of this threat actor, Kaspersky noticed the use of significantly modified malware in one case.
Kaspersky experts came across a suspicious document that was uploaded to VirusTotal in October 2019. Accordingly, the person who prepared the malware had activated fake documents related to the cryptocurrency. These included a survey about buying a particular cryptocurrency, guides to getting into a particular cryptocurrency, and login information to a Bitcoin mining company. The DeathNote campaign first targeted individuals and companies interested in cryptocurrency in Cyprus, the United States, Taiwan and Hong Kong.
However, Kaspersky observed a significant shift in the infection vectors of DeathNote in April 2020. Research has shown that the DeathNote cluster is targeting defense industry-related automotive companies and academic institutions in Eastern Europe. Meanwhile, the threat actor was busy replacing the documents related to job descriptions from defense industry contractors and diplomatic contacts with fake ones. In addition, documents, each weaponized, were supported by open source PDF viewer software with Trojan horse feature, which was included in the infection chain by remote template injection technique, making the attack more powerful. Both of these methods of infection resulted in the installation of the DeathNote downloader software, which was responsible for leaking the victim’s information.
In May 2021, Kaspersky realized that an IT company in Europe that provides network device and server monitoring solutions had been taken over by the DeathNote cluster. Also, in early June 2021, the Lazarus subgroup began using a new mechanism to infect targets in South Korea. What caught the researchers’ attention here was that the first stage of the malware was run by legitimate software widely used for security in South Korea.
