Hackers Impersonate Meta Recruiter to Target Aerospace FirmNorth Korean Threat Actor Lazarus Group Deploys New Backdoor
Researchers discovered an undocumented backdoor dubbed LightlessCan being used by the North Korean threat actor Lazarus Group to target a Spanish aerospace company.
Eset researchers said an employee of the aerospace firm was lured with a fake job opportunity. The attacker, masquerading as a Meta recruiter, tricked the victim into downloading and executing malicious code on a company device.
The attack is part of an ongoing campaign tracked as Operation DreamJob, in which fake recruiters reach out through LinkedIn (see: North Korean Hackers Find Value in LinkedIn).
Attackers convince victims to self-compromise their systems by employing different strategies such as luring the target to execute a malicious PDF viewer to see the full contents of a job offer. Or, they encourage the victim to connect with a Trojanized SSL/VPN client.
"The most worrying aspect of the attack is the new type of payload, LightlessCan, a complex and possibly evolving tool that exhibits a high level of sophistication in its design and operation, representing a significant advancement in malicious capabilities compared to its predecessor, BlindingCan," researchers said.
Eset said is observed victims receiving two malicious executables,
Quiz2.exe, which were delivered via
.iso images hosted on a third-party cloud storage platform.
"The first challenge is a very basic project that displays the text 'Hello, World!'" researchers said. "The second prints a Fibonacci sequence up to the largest element smaller than the number entered as input." A Fibonacci sequence is a series of numbers in which each number is the sum of the two preceding ones, typically starting with 0 and 1. This malicious campaign sequence starts with 1 and 2.
Once the output is printed, both executables trigger the malicious action of installing additional payloads from the ISO images onto the target's system.
The first payload is an HTTP(S) downloader dubbed NickelLoader. This allows the attackers to deploy any desired program into the memory of the victim's computer.
NickelLoader is used by attackers to deliver two types of RATs, a variant of the BlindingCan backdoor with limited functionality but identical in command processing logic and the newly introduced LightlessCan.
Researchers at Eset call LightlessCan the successor of the group's flagship BlindingCan Trojan. It can support up to 68 distinct commands, indexed in a custom function table. In the current version, 1.0, only 43 of those commands are implemented with some functionality, researchers said.
"The remaining commands are present but have a formal implementation in the form of placeholders, lacking actual functionality. The project behind the RAT is definitely based on the BlindingCan source code, as the order of the shared commands is preserved significantly, even though there may be differences in their indexing."
Researchers said the attackers can significantly limit traces of the Windows command-line programs used post-compromise activity, affecting the effectiveness of real-time monitoring solutions and post-mortem digital forensic tools.