Victims were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable file. The ultimate goal of the attack is cyber espionage
Researchers of ESET, a global European leader in the cybersecurity market, have discovered a Lazarus attack against an aerospace company in Spain, during which the group used several tools, most notably the LightlessCan backdoor recently discovered by ESET. Operators from the North Korea-affiliated Lazarus Group initially gained access to the company's network last year through a successful spearphishing campaign, in which they posed as recruiters on behalf of Meta, the company it controls Facebook, Instagram and WhatsApp. The ultimate goal of the attack was cyberespionage.
“The most concerning aspect of the attack is the new payload type, LightlessCan, a complex and likely evolving tool that displays a high level of sophistication in both design and operation and represents a significant advancement in malicious capabilities over its predecessor , BlindingCan,” explains Peter Kálnai, the ESET researcher who made the discovery.
The fake recruiter contacted the victim via LinkedIn Messaging, and sent two coding challenges purportedly requested as part of a hiring process, which the victim downloaded and ran on a company device. ESET Research was able to reconstruct the initial access steps and analyze the toolset used by Lazarus thanks to collaboration with the affected aerospace company. The group targeted several company employees.
Lazarus delivered several payloads to victim systems; the most notable is a sophisticated and so far undocumented remote access trojan (RAT) that ESET has named LightlessCan. The trojan mimics the functionality of a wide range of native Windows commands, usually exploited by attackers to allow discreet execution within the RAT itself instead of noisy console executions. This strategic relocation increases stealth, making the attacker's activities more difficult to detect and analyze.
Another mechanism used to minimize exposure is the use of execution guardrails: Lazarus ensured that the payload could only be decrypted on the intended victim's computer. Execution guardrails are a set of protocols and protection mechanisms implemented to safeguard the integrity and confidentiality of the payload during its distribution and execution, effectively preventing decryption on unintended machines, such as those of security researchers.
LightlessCan supports up to 68 distinct commands, but in the current version, 1.0, only 43 of these are implemented with any functionality. ESET Research has identified four different execution chains, which deliver three types of payloads.
The Lazarus Group (also known as HIDDEN COBRA) is a cyberespionage group linked to North Korea, active since at least 2009. The diversity, number and peculiarities in the implementation of Lazarus campaigns define this group, which deals with all and three pillars of cyber criminal activities: cyber espionage, cyber sabotage and the pursuit of financial gain. Aerospace companies are not an uncommon target for North Korea-aligned APT groups. The country has conducted numerous missile tests that violate United Nations Security Council resolutions.
For more technical information on Lazarus, its latest attack, and the LightlessCan backdoor, see the blog post “Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company” on WeLiveSecurity. ESET Research will present the results of this attack at the Virus Bulletin conference on October 4, 2023.
