DeathNote Shifts To Targeting The Defense Industry

Kaspersky reported yesterday that since April 2020, threat actor Lazarus Group has had an evolution in its techniques and procedures shifting to targeting defense companies instead of crypto businesses as part of their “DeathNote” campaign. 

The payload relies on trojanized open-source PDF viewer software and weaponized documents to collect and report the victim’s information. Initially, the malware author used decoy documents that were related to cryptocurrency but has now switched all the decoy documents to job descriptions related to defense contractors and diplomatic services. 

The focus began to shift:

  • Early 2020 – EU automotive and academic organizations linked to the defense industry
  • May 2021 – IT company that provides solutions for monitoring network devices and servers
  • May 2021 – Defense contractor in Latin America
  • July of 2022 – Defense contractor in Africa 
  • March 2022 – Several similar victims in South Korea

All relied on the same DLL side-loading technique observed in the crypto targeted programs.

Christopher Peacock, Principal Detection Engineer, SCYTHE had this to say:

   “Often governments shift capabilities to address their needs and requirements, so there may have been a strategic shift from targeting crypto businesses for money to more classical espionage attempting to collect defense information.”

This is one of these situations where education and prudent use of tools would make a difference in terms of defending against attacks like these. Hopefully we’ll see defenders make that shift just like Lazarus has made a shift.

Leave a Reply

%d bloggers like this: