The Lazarus Group, a North Korean hacking collective, has employed a new and highly sophisticated malware variant known as LightlessCan in its fraudulent employment schemes, which poses a significant challenge to detection compared to its predecessor.
ESET’s senior malware researcher, Peter Kálnai, revealed these findings in a post on September 29, following an analysis of a fake job attack targeting a Spanish aerospace firm.
Lazarus Group’s typical modus operandi involves luring victims with enticing employment offers at reputable companies and tricking them into downloading malicious payloads disguised as documents.
However, LightlessCan represents a notable advancement over its precursor, BlindingCan. Kálnai explained that LightlessCan can mimic various native Windows commands, enabling discreet execution within the Remote Access Trojan (RAT) itself, minimizing noisy console executions.
This enhanced stealthiness makes it challenging for real-time monitoring solutions like EDRs and postmortem digital forensic tools to detect.
READ MORE:Venture Capital Firm Paradigm Criticizes SEC’s Unconventional Approach in Binance Case
Furthermore, the new malware incorporates “execution guardrails” to ensure that only the intended victim’s machine can decrypt the payload, preventing unintended decryption by security researchers.
One known case involving this new malware targeted a Spanish aerospace firm when an employee received a message from a fake Meta recruiter named Steve Dawson in 2022. Subsequently, the hackers sent two coding challenges embedded with the malware.
Lazarus Group’s primary motive for the attack on the Spanish aerospace firm was cyberespionage.
Notably, North Korean hackers have been responsible for stealing an estimated $3.5 billion from cryptocurrency projects since 2016, as reported by blockchain forensics firm Chainalysis on September 14.
In September 2022, cybersecurity firm SentinelOne issued a warning about a fake job scam on LinkedIn, part of a campaign known as “Operation Dream Job,” offering potential victims positions at Crypto.com.
Simultaneously, the United Nations has been actively working to curb North Korea’s cybercrime tactics on an international scale, as it is believed that the stolen funds are being used to support North Korea’s nuclear missile program.
This ongoing effort underscores the global impact and consequences of cyberattacks orchestrated by groups like Lazarus.
Other Stories:
SEC Delays Decision on Spot Bitcoin ETF Proposals Amid Looming Government Shutdown
Venture Capital Firm Paradigm Criticizes SEC’s Unconventional Approach in Binance Case
Space and Time Integrates Its Proof of SQL Verifier Into Chainlink Nodes