Lazarus group deploys new stealth malware in job scams
In recent developments, the notorious North Korean hacking collective known as the Lazarus Group has been found using a highly sophisticated form of malware in its deceptive employment scams. Security researchers are warning that this new malware is significantly more challenging to detect compared to its predecessor. Security firm ESET’s senior malware researcher, Peter Kálnai, disclosed these findings in a post on September 29. The discovery was made while analyzing a fake job attack targeting a Spain-based aerospace firm.
ESET researchers shed light on the Lazarus group malware
ESET researchers stumbled upon a previously undocumented backdoor named LightlessCan during their investigation. The Lazarus Group has a history of employing fake job scams as part of its cyber espionage efforts. Typically, these scams involve luring victims with the promise of employment at a well-known company. Once enticed, victims are tricked into downloading a malicious payload disguised as documents, leading to various forms of cyber harm. However, Kálnai points out that the new LightlessCan payload represents a “significant advancement” over its predecessor, BlindingCan.
What sets LightlessCan apart is its ability to mimic native Windows commands, allowing it to execute discreetly within the Remote Access Trojan (RAT) itself, avoiding the noisy console executions that would typically raise suspicion. This stealthy approach provides a considerable advantage in terms of evading real-time monitoring solutions like Endpoint Detection and Response (EDR) systems and post-incident digital forensic tools. Furthermore, the new malware employs what Kálnai describes as “execution guardrails.”
These guardrails ensure that the payload can only be decrypted on the intended victim’s machine, preventing unintended decryption by security researchers or other unauthorized parties. An example of the new malware’s deployment was observed in an attack on a Spanish aerospace firm. In this case, an employee received a message in 2022 from a fictitious Meta recruiter named Steve Dawson. Subsequently, the hackers sent over two seemingly innocuous coding challenges that were, in reality, embedded with the LightlessCan malware.
North Korean hackers and global security concerns
Peter Kálnai also highlights that cyber espionage was the primary motivation behind the Lazarus Group’s targeting of the aerospace firm. This discovery sheds light on the evolving tactics and capabilities of the Lazarus Group, a hacking entity with a well-documented history of cyberattacks and criminal activities. Over the years, this group has managed to steal an estimated $3.5 billion from cryptocurrency projects, according to a report by blockchain forensics firm Chainalysis published on September 14, 2022.
The issue of fake job scams as a cover for cyberattacks is not new. In September 2022, cybersecurity firm SentinelOne warned of a fake job scam on LinkedIn that offered potential victims a job at Crypto.com. This campaign, dubbed “Operation Dream Job,” was another instance of threat actors leveraging the lure of employment for malicious purposes. In a broader context, the international community, led by organizations like the United Nations, has been working to curb North Korea’s cybercrime activities.
It is well-understood that North Korea uses stolen funds from cyberattacks to support its nuclear missile program, making these efforts a matter of global security concern. The Lazarus Group’s use of advanced malware like LightlessCan in fake job scams underscores the persistent and evolving nature of cyber threats. This case serves as a reminder of the need for robust cybersecurity measures and heightened vigilance, especially in the face of increasingly sophisticated threat actors like the Lazarus group. As cybercriminals continue to adapt and develop new tactics, organizations, and individuals must stay ahead of the curve to protect themselves from potential harm.
Read More
Lazarus group deploys new stealth malware in job scams
In recent developments, the notorious North Korean hacking collective known as the Lazarus Group has been found using a highly sophisticated form of malware in its deceptive employment scams. Security researchers are warning that this new malware is significantly more challenging to detect compared to its predecessor. Security firm ESET’s senior malware researcher, Peter Kálnai, disclosed these findings in a post on September 29. The discovery was made while analyzing a fake job attack targeting a Spain-based aerospace firm.
ESET researchers shed light on the Lazarus group malware
ESET researchers stumbled upon a previously undocumented backdoor named LightlessCan during their investigation. The Lazarus Group has a history of employing fake job scams as part of its cyber espionage efforts. Typically, these scams involve luring victims with the promise of employment at a well-known company. Once enticed, victims are tricked into downloading a malicious payload disguised as documents, leading to various forms of cyber harm. However, Kálnai points out that the new LightlessCan payload represents a “significant advancement” over its predecessor, BlindingCan.
What sets LightlessCan apart is its ability to mimic native Windows commands, allowing it to execute discreetly within the Remote Access Trojan (RAT) itself, avoiding the noisy console executions that would typically raise suspicion. This stealthy approach provides a considerable advantage in terms of evading real-time monitoring solutions like Endpoint Detection and Response (EDR) systems and post-incident digital forensic tools. Furthermore, the new malware employs what Kálnai describes as “execution guardrails.”
These guardrails ensure that the payload can only be decrypted on the intended victim’s machine, preventing unintended decryption by security researchers or other unauthorized parties. An example of the new malware’s deployment was observed in an attack on a Spanish aerospace firm. In this case, an employee received a message in 2022 from a fictitious Meta recruiter named Steve Dawson. Subsequently, the hackers sent over two seemingly innocuous coding challenges that were, in reality, embedded with the LightlessCan malware.
North Korean hackers and global security concerns
Peter Kálnai also highlights that cyber espionage was the primary motivation behind the Lazarus Group’s targeting of the aerospace firm. This discovery sheds light on the evolving tactics and capabilities of the Lazarus Group, a hacking entity with a well-documented history of cyberattacks and criminal activities. Over the years, this group has managed to steal an estimated $3.5 billion from cryptocurrency projects, according to a report by blockchain forensics firm Chainalysis published on September 14, 2022.
The issue of fake job scams as a cover for cyberattacks is not new. In September 2022, cybersecurity firm SentinelOne warned of a fake job scam on LinkedIn that offered potential victims a job at Crypto.com. This campaign, dubbed “Operation Dream Job,” was another instance of threat actors leveraging the lure of employment for malicious purposes. In a broader context, the international community, led by organizations like the United Nations, has been working to curb North Korea’s cybercrime activities.
It is well-understood that North Korea uses stolen funds from cyberattacks to support its nuclear missile program, making these efforts a matter of global security concern. The Lazarus Group’s use of advanced malware like LightlessCan in fake job scams underscores the persistent and evolving nature of cyber threats. This case serves as a reminder of the need for robust cybersecurity measures and heightened vigilance, especially in the face of increasingly sophisticated threat actors like the Lazarus group. As cybercriminals continue to adapt and develop new tactics, organizations, and individuals must stay ahead of the curve to protect themselves from potential harm.
Read More