Lazarus Group Updates Operation Dream Job Campaign

Summary

North Korean threat actor, Lazarus Group, was observed shifting their focus and evolving tools and tactics as part of a long-running campaign called Operation Dream Job cluster, also tracked under the monikers DeathNote or NukeSped. While the group is known for targeting the cryptocurrency sector, recent attacks have targeted the medical, automotive, academic, energy, and defense sectors in Eastern Europe and other parts of the world. The group is seeking to expand their range of targets and is exploiting known vulnerabilities to achieve this goal. These known vulnerabilities provide the threat actors with access to networks and enable the escalation of privileges to exfiltrate data.

Lazarus Group Background

Lazarus Group has been previously linked to successful breaches throughout the years. An attack discovered in March 2022 targeted several victims in South Korea by exploiting security software to deliver downloader malware capable of distributing a backdoor and an information stealer for harvesting keystroke and clipboard data. Additionally, the group has been observed using a new implant dubbed “Vyveva” in an attack campaign against a South African shipping company in May 2022. Vyveva is a sophisticated remote access trojan capable of taking complete control of an infected system and exfiltrating sensitive data. Furthermore, defense contractor organizations in Africa and Latin America were targeted in previous Operation Dream Job campaigns. These attacks have furthered the objective of broadening the scope of industries targeted by the Lazarus group.

New campaigns that focus on known vulnerabilities have also enabled the group to expand their target set. Recently, the Lazarus group was found to exploit unpatched Zimbra devices gaining access to networks through an escalation of privileges. The Lazarus group has also been tied to the recent 3CXDestopApp Supply Chain attack. The 3CX’s Voice over Internet Protocol (VoIP) Internet Protocol Private Branch eXchange (IP PBX) software is used by over 600,000 companies worldwide, with more than 240,000 3CX phone management systems exposed to the internet, with both the Windows and Mac apps being impacted. The 3CXDestopApp Supply Chain attack reinforces the group’s motivation to impact multiple industries on a large scale.

Implications of Lazarus Group

The group’s activities demonstrate a high level of sophistication and the ability to evolve rapidly in response to changing circumstances. The Lazarus Group has been observed building supply chain attack capabilities and attempting to remove artifacts and indicators of their presence to evade detection. The recent change in targeting and exploitation of known vulnerabilities highlights the strong desire of the group to significantly impact multiple industries. Kaspersky researchers caution organizations to maintain vigilance and take proactive measures to defend against these malicious activities.

Conclusion

It is critical for companies to stay up to date with the latest security patches and updates, monitor their networks for suspicious activity, and educate their employees on how to identify and avoid phishing and social engineering attacks. Implementing a robust cybersecurity framework and incident response plan can also help mitigate the impact of an attack and minimize potential damage. With the Lazarus Group’s continued evolution and focus on various industries, organizations must remain vigilant and adapt to changing threats to protect their systems and data.

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.

References: