The North Korean-linked Lazarus threat group used an undocumented remote access trojan (RAT) as part of a LinkedIn-focused phishing attack on a Spanish aerospace company. Attackers claimed to represent Facebook parent company Meta, which also owns Instagram and WhatsApp.
An employee at the targeted company was duped into downloading sophisticated malware onto a work computer by a member of the advanced persistent threat (APT) group.
In a blog post detailing the incident, ESET senior malware researcher Peter Kálnai said the new RAT Lazarus dropped in the attack, which ESET calls LightlessCan, “represents a significant advancement in malicious capabilities compared to its predecessor, BlindingCan”.
“LightlessCan mimics the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions,” Kálnai wrote in the post. The malware, he said, represents a shift "making detecting and analyzing the attacker’s activities more challenging.”
The RAT's Windows functions include the ability to run Windows commands including Ping, IPConfig, SystemInfo, SC (communicates with the Windows Service Controller and installed services) and NET (a Windows command used to view and modify network settings). In earlier Lazarus attacks such native commands were often executed remotely after the gang had a foothold in the target’s system.
“In this case, these commands are executed discreetly within the RAT itself, rather than being executed visibly in the system console,” Kálnai said. He said the technique can often outsmart real-time monitoring solutions such as EDRs (endpoint detection and response tools) and forensic tools.
Since Windows’ core utilities are proprietary and not open-source, ESET speculated that in developing LightlessCan, Lazarus may have reverse-engineered the closed-source system binaries in order to add the additional functionality to the RAT.
ESET the novel malware used execution guardrails which are intended to prevent the malware from being decrypted on any machine other than the one targeted by the threat group, making it hard for security researchers to analyze the malware code.
Lazarus has been active since at least 2009 and has been responsible for numerous hacks, including a number of high-profile attacks such as the Sony hack in 2014 and WannaCry in 2017.
Bogus LinkedIn recruiting message for coding challenge
ESET did not name the aerospace company targeted by the gang in this latest attack but said the employee whose machine was compromised engaged with the hackers over LinkedIn Messaging. The victim was tricked into downloading malware on the pretense that the executable files were C++ coding challenge programs required to be completed as part of the recruitment process.
Kálnai said the spear-phishing attack was a continuation of a Lazarus campaign known as Operation Dream Job, a series of espionage-focused attacks involving job-offer lures.
North Korean APTs in general, and Lazarus in particular, have a history of targeting the aerospace and defense sectors in their espionage campaigns. United Nations sanctions monitors have previously documented the rogue state’s criminal efforts to obtain aeronautical data to assist its intercontinental ballistic missile development program. Earlier this year, a U.S. aeronautics firm was targeted by multiple nation-state APTs leveraging well-known Zoho and Fortinet vulnerabilities. The cybersecurity and law enforcement agencies who disclosed the attacks did not say which country or countries the attack groups were from.