The North Korean threat actor Lazarus Group, also known as Operation Dream Job or NukeSped, is shifting its focus from targeting only cryptocurrency businesses to a wider range of industries, including automotive, academic and defense sectors in Eastern Europe and other parts of the world.
Researchers have said that this is a significant pivot for the group. The DeathNote cluster, under which these attacks are being tracked, has updated its infection vectors, including using a trojanised version of legitimate PDF reader SumatraPDF Reader to initiate its malicious routine. The new backdoor is capable of collecting and reporting victim information and executing retrieved payloads using named-pipe communication.
Kaspersky researchers have observed Lazarus Group building supply chain attack capabilities, such as the deployment of BLINDINGCAN (aka AIRDRY or ZetaNile) and COPPERHEDGE implants against the defense industry. The group has also been linked to a successful breach of a defense contractor in Africa last July, which resulted in exfiltration of data.
Lazarus Group is known for its highly skilled and persistent approach to cyberattacks, and the researchers warn that it is crucial for organizations to remain vigilant and take proactive measures to defend against its malicious activities.
The group typically uses bitcoin mining-themed lures to entice potential targets into opening macro-laced documents and dropping the Manuscrypt backdoor on the compromised machine.
The targeting of the automotive and academic verticals is tied to Lazarus Group’s broader attacks against the defense industry, as previously documented by the Russian cybersecurity firm in October 2021. The group has been blamed for the supply chain attack aimed at enterprise VoIP service provider 3CX, which came to light last month.
