North Korean hacker collective Lazarus Group has been using a "sophisticated" new type of malware as part of its fake employment scams, which researchers warn is much harder to detect than its predecessor.
According According to a September 29 post by ESET senior malware researcher Peter Kálnai, while analyzing a recent fake job attack against a Spain-based aerospace company, ESET researchers discovered a publicly undocumented backdoor called LightlessCan.
#ESET Investigators revealed their findings about an attack by the North Korea-linked group. #SUITABLE cluster #Lazarus which had as its objective an aerospace company in Spain.
▶️ Discover more in a #SafetyWeek video with @TonyAtESET. pic.twitter.com/M94J200VQx
—ESET (@ESET) September 29, 2023
The Lazarus Group fake jobs scam typically involves tricking victims with a potential job offer at a well-known company. Attackers would prompt victims to download a malicious payload disguised as documents to cause all kinds of damage.
However, Kálnai says the new LightlessCan payload is a “significant advance” compared to its BlindingCan predecessor.
"LightlessCan mimics the functionalities of a wide range of native Windows commands, allowing unobtrusive execution within the RAT itself rather than noisy console executions."
"This approach offers a significant advantage in terms of stealth, both in evading real-time monitoring solutions such as EDR and post-mortem digital forensic tools," he said.
️♂️ Beware of fake LinkedIn recruiters! Discover how the Lazarus group exploited a Spanish aerospace company through a Trojanized coding challenge. Delve into the details of your cyberespionage campaign in our latest #WeLiveSecurity article. #ESET #ProtectedProgress
—ESET (@ESET) September 29, 2023
The new payload also uses what the researcher calls "execution guardrails," ensuring that the payload can only be decrypted on the intended victim's machine, thus preventing unintentional decryption by security researchers. .
Kálnai said one case involving the new malware came from an attack on a Spanish aerospace company when an employee received a message from a fake Meta recruiter named Steve Dawson in 2022.
Shortly after, the hackers sent two simple coding challenges embedded in the malware.
Cyberespionage was the main motivation behind The attack of the Lázaro Group about the Spain-based aerospace company, he added.
Related: Three steps cryptocurrency investors can take to avoid Lazarus Group attacks
Since 2016, North Korean hackers have stole approximately $3.5 billion from cryptocurrency projectsaccording to a September 14 report from blockchain forensics firm Chainalysis.
In September 2022, cybersecurity company SentinelOne warned of a fake job scam on LinkedIn, offering potential victims a job at Crypto.com as part of a campaign dubbed "Operation Dream Job."
Meanwhile, the United Nations has been trying to limit North Korea's cybercrime tactics internationally, as is the case. understood North Korea is using the stolen funds to support its nuclear missile program.
Magazine: $3.4 Billion in Bitcoin in a Popcorn Can: The Story of the Silk Road Hacker