In a recent development, the Lazarus Group, a North Korean hacking collective, has introduced a highly advanced malware variant named LightlessCan in their deceptive job scams. This new malware poses a significant challenge to detection compared to its predecessor.
ESET’s senior malware researcher, Peter Kálnai, unveiled these findings after analyzing a fake job attack on a Spanish aerospace firm that took place on September 29.
The Lazarus Group typically operates by enticing victims with attractive job offers from well-known companies and then deceiving them into downloading malicious payloads disguised as documents.
However, LightlessCan represents a substantial upgrade over its predecessor, BlindingCan. Kálnai explained that LightlessCan has the ability to mimic various native Windows commands.
This allows it to execute discreetly within the Remote Access Trojan (RAT) itself, reducing conspicuous console executions.
This heightened stealthiness makes it difficult for real-time monitoring solutions like EDRs (Endpoint Detection and Response) and postmortem digital forensic tools to detect the malware.
Additionally, the new malware incorporates “execution guardrails” to ensure that only the intended victim’s machine can decrypt the payload, preventing unintended decryption by security researchers.
One documented case involving this new malware targeted a Spanish aerospace company. An employee received a message from a fake Meta recruiter named Steve Dawson in 2022. Subsequently, the hackers sent two coding challenges embedded with the malware.
The Lazarus Group’s primary motive for this attack on the Spanish aerospace firm was cyberespionage.
It’s worth noting that North Korean hackers have been responsible for stealing an estimated $3.5 billion from crypto projects since 2016, as reported by blockchain forensics firm Chainalysis on September 14.
In September 2022, cybersecurity firm SentinelOne issued a warning about a fake job scam on LinkedIn, part of a campaign known as “Operation Dream Job,” offering potential victims positions at Crypto.com.