Perfect Smoke and Mirrors of Enemy: Following Lazarus group by tracking DeathNote campaign
Contents
Seongsu Park,
Lead security researcher @
2
Seongsu Park
Kaspersky, Global Research and Analysis Team
Lead security researcher
Tracking targeted attacks focused on APAC
Tracking Korean-speaking actors
Focus Area
Investigative Research
Reversing Malware
Digital Forensics
Threat Intelligence
Adversary
Victim
Lazarus
Financial profit
a.k.a Hidden Cobra, Zinc
Cyber espionage
Published by Novetta in 2014
Data theft
Capability
Infrastructure
Various infection vectors
Compromised server
Multi-stage components
Commercial hosting service
Several malware clusters
Origin of DeathNote
Manuscrypt
• Old Lazarus malware
• Connect to SPE hacking
• Had been used for several years
without significant updates.
DeathNote (a.k.a DreamJob)
• Came across an updated version of
the initial downloader.
• Implemented new techniques.
• Since Oct 2018
Weaponized document
Trojanized UltraVNC
(e.g. GM-Buying Miners.doc)
C2 operation
Downloader
Trojanized application
C2 servers
Installer
(e.g. CereiPayCoin-qt.exe)
Dn.dll or Dn64.dll
Injector
Backdoor
Weaponized document
with remote template
Remote template
with macro
Downloader
fetch and
execute in
memory
C2 operation
Backdoor
(Manuscrypt,
COPPERHEDGE)
Decoy document
Trojanized PDF reader
Crafted PDF file
C2 servers
Jun 2021. Expanded target, adopted new infection vectors
rundll32.exe C:\ProgramData\SCSKAppLink.dll,NetSetCookie Cnusrmgr
-e [RC4 key] [config file path]
rundll32.exe inetcpl32.cpl, CMS_ContentInfo {PNZ0IX6K-Y8D0-KWYW-JWKW-RD3X4ZO7UNKK}
Fetch and
launch on the
memory
Legitimate
software
Racket
Downloader
Fetch and
execute
manually
(in-memory)
BLINDINGCAN
Fetch and
launch on the
memory
Loader
(in-memory)
COPPERHEDGE
March 2022. Same method with elaborate infection scheme
.ini
config file
Memory-resident Stealer
refer to
execute
Create and …
Lead security researcher @
2
Seongsu Park
Kaspersky, Global Research and Analysis Team
Lead security researcher
Tracking targeted attacks focused on APAC
Tracking Korean-speaking actors
Focus Area
Investigative Research
Reversing Malware
Digital Forensics
Threat Intelligence
Adversary
Victim
Lazarus
Financial profit
a.k.a Hidden Cobra, Zinc
Cyber espionage
Published by Novetta in 2014
Data theft
Capability
Infrastructure
Various infection vectors
Compromised server
Multi-stage components
Commercial hosting service
Several malware clusters
Origin of DeathNote
Manuscrypt
• Old Lazarus malware
• Connect to SPE hacking
• Had been used for several years
without significant updates.
DeathNote (a.k.a DreamJob)
• Came across an updated version of
the initial downloader.
• Implemented new techniques.
• Since Oct 2018
Weaponized document
Trojanized UltraVNC
(e.g. GM-Buying Miners.doc)
C2 operation
Downloader
Trojanized application
C2 servers
Installer
(e.g. CereiPayCoin-qt.exe)
Dn.dll or Dn64.dll
Injector
Backdoor
Weaponized document
with remote template
Remote template
with macro
Downloader
fetch and
execute in
memory
C2 operation
Backdoor
(Manuscrypt,
COPPERHEDGE)
Decoy document
Trojanized PDF reader
Crafted PDF file
C2 servers
Jun 2021. Expanded target, adopted new infection vectors
rundll32.exe C:\ProgramData\SCSKAppLink.dll,NetSetCookie Cnusrmgr
-e [RC4 key] [config file path]
rundll32.exe inetcpl32.cpl, CMS_ContentInfo {PNZ0IX6K-Y8D0-KWYW-JWKW-RD3X4ZO7UNKK}
Fetch and
launch on the
memory
Legitimate
software
Racket
Downloader
Fetch and
execute
manually
(in-memory)
BLINDINGCAN
Fetch and
launch on the
memory
Loader
(in-memory)
COPPERHEDGE
March 2022. Same method with elaborate infection scheme
.ini
config file
Memory-resident Stealer
refer to
execute
Create and …