Unveiling LightlessCan: Lazarus Group's Stealthy Advancement
The Lazarus Group, a notorious hacking collective hailing from North Korea, has recently unveiled a notably sophisticated iteration of malware within the context of their deceptive employment stratagems. This new variant, aptly dubbed LightlessCan, showcases a significantly elevated level of complexity, rendering it notably more challenging to identify when juxtaposed with its precursor.
In a post dated September 29, penned by Peter Kálnai, a distinguished senior malware researcher at ESET, it was divulged that during the investigative process pertaining to a fabricated job offer targeted at a reputable aerospace firm based in Spain, ESET's team of researchers fortuitously stumbled upon a hitherto undisclosed backdoor, bearing the moniker LightlessCan.
#ESET researchers unveiled their findings about an attack by the North Korea-linked #APT group #Lazarus that took aim at an aerospace company in Spain.— ESET (@ESET) September 29, 2023
▶️ Find out more in a #WeekinSecurity video with @TonyAtESET. pic.twitter.com/M94J200VQx
Typically, the modus operandi of the Lazarus Group in their malevolent job ruse involves luring unsuspecting victims with alluring prospects of employment within well-established companies. The malefactors deftly coax their targets into downloading a disguised malicious payload, artfully masked as seemingly innocuous documents, capable of wreaking havoc and chaos across a wide spectrum.
However, as elucidated by Kálnai, the newly introduced LightlessCan payload represents a remarkable leap forward, markedly surpassing its predecessor, BlindingCan.
"LightlessCan meticulously simulates the functionalities of a multitude of native Windows commands, affording clandestine execution within the RAT itself, cleverly sidestepping any overt console executions."
"This strategic approach furnishes a discernible advantage in terms of stealthiness, enabling evasion of real-time monitoring solutions, such as EDRs, and ensuring a level of elusiveness during postmortem digital forensic investigations," he expounded.
????️♂️ Beware of fake LinkedIn recruiters! Find out how Lazarus group exploited a Spanish aerospace company via trojanized coding challenge. Dive into the details of their cyberespionage campaign in our latest #WeLiveSecurity article. #ESET #ProgressProtected— ESET (@ESET) September 29, 2023
Furthermore, this nascent payload employs what the erudite researcher aptly dubs "execution guardrails," meticulously engineered to ensure that the payload can only be decrypted on the intended victim's device, thus effectively warding off inadvertent decryption attempts by inquisitive security analysts.
Kálnai went on to unveil an illustrative case, wherein the new malware played a pivotal role during an assault on a Spanish aerospace firm. A hapless employee received a seemingly innocuous message from an ersatz Meta recruiter named Steve Dawson in the year 2022.
Shortly thereafter, the nefarious hackers dispatched two seemingly uncomplicated coding challenges, surreptitiously embedded with the malware.
The primary impetus behind the Lazarus Group's nefarious incursion into the domain of the Spain-based aerospace firm, Kálnai emphasized, was firmly rooted in the realm of cyberespionage.
According to a comprehensive report by blockchain forensics authority Chainalysis, dated September 14, it was staggering to note that North Korean hackers have successfully absconded with an estimated sum of $3.5 billion from cryptocurrency ventures since the inception of the year 2016.
In September of the year 2022, cybersecurity stalwart SentinelOne raised a clarion call, sounding the alarm regarding a duplicitous job scam propagated on LinkedIn. This sinister campaign tantalizingly dangled before potential victims the promise of gainful employment at Crypto.com, all part and parcel of a calculated campaign dubbed "Operation Dream Job."
Meanwhile, on the international stage, the United Nations has been ardently and assiduously striving to curb and counter North Korea's malevolent cybercrime endeavors, cognizant of the disconcerting reality that North Korea channels the pilfered funds towards underwriting its ominously burgeoning nuclear missile program.
Read more: Sam Bankman-Fried: A Tale of Intrigue