Lazarus hacking group's cyber espionage: Learn how LightlessCan infiltrated a Spanish aerospace company

Continue reading
In a recent cybersecurity incident, the notorious North Korean hacking group known as 'Lazarus' demonstrated their evolving tactics by targeting employees of a Spanish aerospace company. The attack involved a cunning blend of social engineering and the deployment of a previously undocumented backdoor named 'LightlessCan.' Let's dissect the technical details of this operation.
Lazarus initiated this attack with a deceptive LinkedIn message from a fake recruiter, masquerading as 'Steve Dawson' from Meta (Facebook). The target was lured into engaging with the attackers by feigning interest in a job opportunity. As the conversation progressed, the victim was asked to prove their proficiency in C++ programming, a clever ruse to introduce malicious payloads.
To deliver the malicious payloads, Lazarus employed ISO files containing executable quizzes. When executed, these files silently dropped an additional payload onto the victim's machine using DLL side-loading through 'mscoree.dll,' a legitimate program ('PresentationHost.exe'). This additional payload was the NickelLoader malware loader, responsible for deploying two backdoors, including 'LightlessCan.'
miniBlindingCan, a variant of BlindingCan with reduced functionality, was one of the backdoors deployed. This backdoor supports a range of commands, allowing the attacker to gather system information, update communication intervals with the command and control (C2) server, download and decrypt files, and execute shellcode. Its versatility makes it a potent tool for cyber espionage.
ESET's analysis revealed LightlessCan as the star of this attack. It's a successor to BlindingCan, boasting a more sophisticated code structure, different indexing, and enhanced functionality. In version 1.0, it supports a staggering 43 commands, with an additional 25 commands lurking in the code, yet to be implemented. What sets LightlessCan apart is its ability to mimic native Windows commands, such as 'ping' and 'ipconfig,' while remaining invisible to real-time monitoring tools.
One intriguing defense measure implemented by Lazarus is the encryption of one LightlessCan payload with a key dependent on the target's environment. This tactic thwarts attempts by security researchers or analysts to access the victim's computer, emphasizing Lazarus' commitment to secrecy and espionage.
This attack underscores that Lazarus' motives extend beyond mere financial gain, such as cryptocurrency theft. Their 'Operation Dreamjob' campaign reveals a strategic shift towards espionage, targeting sensitive information and intellectual property.
For organizations in the crosshairs of threat groups like Lazarus, this development is concerning. The introduction of LightlessCan showcases the group's growing sophistication and adaptability. Enterprises must remain vigilant, continuously updating their cybersecurity defenses to counter evolving threats.
The Lazarus hacking group's recent attack on a Spanish aerospace company serves as a stark reminder of the ever-changing landscape of cybersecurity threats. Their blend of social engineering and the deployment of advanced backdoors like LightlessCan demonstrates the need for organizations to stay proactive and vigilant in defending against cyber adversaries.
In this dynamic environment, understanding the nuances of such attacks is paramount to crafting effective defense strategies. As cybersecurity professionals, staying informed about the latest tactics and tools employed by threat actors is essential to safeguarding our digital assets and sensitive information.
For the Spanish aerospace company, this incident serves as a wake-up call, highlighting the need for robust cybersecurity measures to protect against persistent and determined adversaries like Lazarus. The future of cybersecurity lies in continuous adaptation and proactive defense, and organizations must rise to the challenge to secure their digital infrastructure.

Backdoor.Daxin, the kernel-mode rootkit Symantec once called the most advanced tool ever tied to a China-linked espionage actor, has been found running again