Lazarus Group Evolved Their Infection Chain with Old and New Malware

Sojun Ryu (Kaspersky, KR)

Sojun Ryu graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a Master's degree in information security from Sungkyunkwan University in Korea. Sojun worked at KrCERT/CC for seven years, analyzing malware and responding to incidents, and is one of the authors of "Operation Bookcodes" published by KrCERT/CC in 2020. After moving to S2W, a cybersecurity startup in Korea, he expanded his coverage during his time as a team leader, focusing on not only APT but also on cybercrime. Sojun is now a member of GReAT at Kaspersky and is very focused on APT research.
--
Over recent years, the Lazarus APT group has distributed their own malware by leveraging fraudulent job opportunities targeting employees in various industries, including defense, aerospace, cryptocurrency, and other global sectors. This attack campaign is called DeathNote campaign and is also referred to as "Operation DreamJob".During our recent investigation, we observed that the Lazarus group had delivered archive files containing malicious files to at least two employees who were engaged with the same organization over the course of one month. The threat actor used a fake job offer sent by an impersonated recruiter.After looking into the attack, we were able to uncover a detailed infection chain, giving us insight into their intentions. Although they used known strategies and malware for initial infiltration, they intentionally introduced new malware to avoid detection by leveraging on the fact that the malware hasn't been used before. They have also stepped up their efforts to actively evade detection by exploiting legitimately compromised websites as C2 servers.