Threat Research

Following the Lazarus group by tracking DeathNote campaign

Securonix

The Lazarus group’s DeathNote cluster uses weaponized Word documents with decoys related to cryptocurrency to drop multi-stage payloads, evolving to target defense contractors and supply chains with new infection methods like remote template injection and Trojanized open-source PDF viewers. It features in-memory loaders, DLL side-loading, and post-exploitation tactics such as credential dumping, lateral movement, and data exfiltration via WinRAR, all pointing to a sophisticated, shifting campaign. #LazarusGroup #DeathNote #DnDll #Dn64Dll #OperationDreamJob #NukeSped #COPPERHEDGE #BLINDINGCAN #Manuscrypt

Keypoints

  • The DeathNote cluster is a Lazarus-led operation delivering multi-stage payloads via weaponized documents and macros, starting with decoy cryptocurrency-themed documents.
  • Early activity involved two second-stage payloads: a manipulated backdoor and a typical backdoor with a multi-stage infection chain.
  • Infection evolves to defense-related targets using remote template injection and Trojanized open-source PDF viewers, with the DeathNote downloader uploading data and fetching next-stage payloads.
  • Post-exploitation includes credential dumping, lateral movement (e.g., SMB/ServiceMove), and exfiltration using WinRAR over C2 channels.
  • Targets expanded from cryptocurrency entities to automotive, academic sectors in Eastern Europe, and a defense contractor in Africa, with ongoing supply-chain and vulnerability-based infection vectors.
  • The campaign displays clear attribution to the Lazarus group, including Korean-language signals in C2 scripts and timing patterns suggesting GMT+08/09 locations.

MITRE Techniques

  • [T1566.001] Phishing – Attachment – weaponized Word documents with cryptocurrency-themed decoys that trigger macro-based downloads. “the actor behind this weaponized document had been using similar malicious Word documents since October 2018” and decoy content related to cryptocurrency.
  • [T1059.005] Visual Basic – Malware uses malicious Visual Basic Script to extract the embedded downloader and load it with specific parameters. “…’malicious Visual Basic Script extracts the embedded downloader malware and loads it with specific parameters’…”
  • [T1105] Ingress Tool Transfer – Downloader loads the next-stage payload based on operator commands. “…the downloader retrieved an additional payload based on the operator’s commands…”
  • [T1574.002] DLL Side-Loading – Trojanized applications (e.g., UltraVNC viewer) load malicious payload via side-loading, including launching with specific parameters. “…masquerading as a genuine UltraVNC viewer. However, it carries out a malicious routine when it is spawned with ‘-s …’ parameters…”
  • [T1543.003] Create/Modify System Process: Windows Service – The installer creates and registers an injector and backdoor in a Windows service. “…creates and registers an injector and backdoor in a Windows service.”
  • [T1055] Process Injection – Backdoor injected into svchost.exe to run commands and maintain persistence. “…the backdoor is injected into a legitimate process (svchost.exe) and initiates a command-and-control (C2) operation.”
  • [T1071.001] Web Protocols – C2 communications to retrieve commands and exfiltrate data. “…initiates a command-and-control (C2) operation.”
  • [T1221] Template Injection – Remote template injection used to weaponize documents and deliver the downloader. “…remote template injection technique in their weaponized documents…”
  • [T1560.001] Archive Collected Data – Exfiltration using WinRAR to compress and transmit data via C2. “…WinRAR to compress files and transmit them via C2 communication channels.”
  • [T1016.001] System Network Configuration Discovery – Basic reconnaissance using commands like netstat and systeminfo. “…cmd.exe /c netstat -ano | find TCP” and “…systeminfo”
  • [T1033] Account Discovery – Active Directory discovery using tools like ADFind. “…Acquiring Active directory information.”
  • [T1003.001] Credential Dumping – Use of Mimikatz/Responder to dump credentials. “…Utilizing crafted Mimikatz to dump login credentials or Responder tool to capture credentials.”
  • [T1021.002] SMB/Windows Admin Shares – Lateral movement via SMB or ServiceMove techniques. “…SMB connection or the ServiceMove technique…”
  • [T1056.001] Keylogging – Stealer malware collects keystroke and clipboard data. “…collect keystroke and clipboard data…”
  • [T1059.003] Windows Command Shell – Recurrent use of cmd.exe for execution. “…cmd.exe /c …” snippets in recon data.
  • [T1574.001] DLL Injection – Backdoors injected into legitimate processes via DLLs loaded during service/startup sequences.

Indicators of Compromise

  • [Hash] Malicious documents – 265f407a157ab0ed017dd18cae0352ae, 7a73a2261e20bdb8d24a4fb252801db7, and 6 more hashes
  • [Hash] Downloader – d1c652b4192857cb08907f0ba1790976, 25b37c971fd7e9e50e45691aa86e5f0a, and 2 more hashes
  • [Hash] Manipulated Installer – dd185e2bb02b21e59fb958a4e12689a7
  • [File path] Installer – C:Windowsigfxmon.exe
  • [File path] Injector – C:Windowssystem32[random 2 bytes]proc.exe
  • [File path] Backdoor – C:Windowssystem32[random 2 bytes]svc.dll
  • [File name] Decoy documents – pubmaterial.docx, Boeing_PMS.docx
  • [File name] Fetched templates – pubmaterial.dotm, 43.dotm
  • [File] DeathNote downloader artifacts – onenote.db, thumbnail.db
  • [File] Trojanized PDF viewer – SumatraPDF.exe, internal pdf viewer.exe

Read more: https://securelist.com/the-lazarus-group-deathnote-campaign/109490/