North Korean hacker group Lazarus Group has been using a new type of “sophisticated” malware as part of its fake employment scam, which researchers warn will be more challenging to detect than its predecessor.
While analyzing a recent fake job attack against a Spanish aerospace company, ESET researchers discovered an undocumented backdoor called LightlessCan, according to a September 29 post by ESET senior malware researcher Peter Kálnai.
#ESET Researchers release findings on North Korea-linked attacks #easy group #Lazarus The target was a Spanish aerospace company.
▶️Learn more #WeekinSecurity Video and @TonyAtESET. pic.twitter.com/M94J200VQx
— ESET (@ESET) September 29, 2023
The Lazarus Group’s fake job scams typically involve deceiving victims about potential job opportunities at well-known companies. Attackers trick victims into downloading malicious payloads disguised as documents in order to cause a variety of damage.
However, Kálnai said the new LightlessCan payload is a “significant improvement” compared to its predecessor, BlindingCan.
“LightlessCan mimics the functionality of various native Windows commands, enabling discreet execution within the RAT itself, rather than noisy console execution.”
“This approach offers significant advantages in stealth, whether evading real-time surveillance solutions such as EDR or post-event digital forensic tools,” he said.
️♂️ Beware of fake LinkedIn recruiters! Learn how the Lazarus Group exploited a Spanish aerospace company through a Trojanized coding challenge.Dive into the details of their cyber espionage operations in our latest article #WeLiveSecurity article. #ESET #ProgressProtected
— ESET (@ESET) September 29, 2023
The new payload also uses what the researchers call “execution guardrails” – ensuring the payload can only be decrypted on the intended victim’s machine, thus preventing security researchers from accidentally decrypting it.
Kálnai said one case involving the new malware came from a 2022 attack on a Spanish aerospace company, when an employee received a message from a fake Meta recruiter named Steve Dawson.
Soon after, the hackers sent two simple coding challenges embedded with malware.
He added that cyber espionage was the main motivation behind Lazarus Group’s attack on the Spanish aerospace company.
related: 3 Steps Cryptocurrency Investors Can Take to Avoid the Lazarus Group Hack
North Korean hackers have stolen approximately $3.5 billion from cryptocurrency projects since 2016, according to a Sept. 14 report from blockchain forensics firm Chainaanalysis.
In September 2022, cybersecurity firm SentinelOne warned of a fake job scam on LinkedIn, offering potential victims jobs at Crypto.com as part of the Operation Dream Job campaign.
Meanwhile, the United Nations has been working at the international level to curb North Korea’s cybercrime tactics, which are understood to be using stolen funds to support its nuclear missile program.
Magazine: $3.4B worth of Bitcoin in popcorn jars: The story of the Silk Road hackers
