The new Lazarus malware can now bypass detection.
North Korean hacking group Lazarus Group has been using a new type of “sophisticated” malware as part of its fake recruitment scams – which researchers warn is more challenging to distinguish from its predecessor.
According to a report posted on September 29 by ESET Senior Malware Researcher Peter Calnai, while analyzing a recent fake job attack against an aerospace company in Spain, ESET researchers discovered a publicly verified backdoor called LightlessCan.
#ESET researchers released their findings regarding an attack by North Korea-linked #APT group #Lazarus on an aerospace company in Spain.
▶️ Learn more in the #WeekinSecurity video by @TonyAtESET. pic.twitter.com/M94J200VQx
— ESET (@ESET) September 29, 2023
The Alazarus Group's fake job scams typically involve tricking victims into having a job offer at a reputable company. The attackers trick the victims into downloading a malicious payload disguised as a document to cause any kind of damage.
However, Kalnai says the new LightlessCan fee is a “significant improvement” compared to the previous BlindingCan.
“LightlessCan can mimic the functionality of many native Windows commands, enabling discreet execution within its own RAT instead of noisy console executions.”
“This approach provides a significant advantage in terms of stealth in escaping real-time surveillance solutions such as EDRs and post-mortem digital forensics tools,” he said.
️♂️ Beware of fake LinkedIn recruiters! Learn how the Lazar Group exploited a Spanish aerospace company in a Trojanized coding challenge. See details of their cyber attack campaign in our new #WeLiveSecurity article. #ESET # is maintained in progress
— ESET (@ESET) September 29, 2023
The new payload also uses what the researcher calls “performance safeguards” — ensuring that the payload can only be decrypted on the intended victim's machine, thus avoiding unintended decryption by security researchers.
One case involving the new malware comes from an attack on a Spanish aerospace company in 2022 when an employee received a message from a fake Meta recruiter, Kalnai said.
Soon after, the hackers sent two simple code tests included with the malware.
Cyberespionage was the main motivation behind Lazar Group's attack on an aerospace company based in Spain, he added.
Related: 3 Steps Crypto Investors Can Take to Avoid Hacking by Alazarus Group
In the year North Korean hackers have stolen an estimated $3.5 billion from cryptocurrency projects since 2016, according to a September 14 report by blockchain forensics firm Chinalysis.
In September 2022, cybersecurity firm Sentinel On warned of a fake job scam on LinkedIn, part of a campaign dubbed “Operation Dream Job” by potential victims on Crypto.com.
Meanwhile, the United Nations has made efforts to curb North Korea's cybercrime tactics globally – North Korea is using the looted funds to fund its nuclear missile program.
Magazine: $3.4B Bitcoin in a Popcorn Can: The Story of the Silk Road Hacker