The new malware from Lazarus can now evade detection
Researchers at ESET have warned that the malware payload known as “LightlessCan” is far harder to detect than its predecessor and is thus being utilized in more sophisticated phony employment frauds.
Researchers have warned that the Lazarus Group, a North Korean hacker organization, is utilizing a new sort of “sophisticated” malware in its bogus job frauds that is far more difficult to detect than its predecessor.
According to a blog post published on September 29 by ESET senior malware researcher Peter Kálnai, the company uncovered a publicly undocumented backdoor called LightlessCan while researching a recent phony job assault against a Spanish aerospace corporation.
The Lazarus Group’s bogus job offers usually entail pretending to be from a reputable company. In order to accomplish their harmful goals, the attackers would lure their targets into downloading a malicious payload disguised as papers.
The new LightlessCan payload has been called by Kálnai a “significant advancement” over its predecessor, BlindingCan.
To avoid the distraction of console executions, “LightlessCan mimics the functionalities of a wide range of native Windows commands,” as explained by Kálnai.
“This method is much more discreet, both when it comes to avoiding real-time monitoring tools like EDRs and digital forensic tools used after the fact,” he said.
The new payload includes “execution guardrails,” which prevents unauthorized decryption by security researchers by assuring the payload can only be decrypted on the system of the targeted victim.
According to Kálnai, one instance of the new virus occurred in 2022, when a Spanish aerospace company was attacked after an employee there received a mail purporting to be from a Meta recruiter called Steve Dawson.
Two easy coding puzzles were included in the virus that the hackers promptly transmitted over. He also said that cyberespionage was the driving force behind Lazarus Group’s assault on the Spanish aerospace business.
Chainalysis, a blockchain forensics business, released research on September 14 estimating that North Korean hackers had stolen $3.5 billion from crypto projects since 2016.
LinkedIn was the target of a false employment scam in September 2022, when cybersecurity company SentinelOne issued a warning about the scheme, which promised victims jobs at Crypto.com as part of an initiative called “Operation Dream Job.”
It is believed that North Korea is using the stolen monies to bolster its nuclear missile development, and the United Nations has been working to put a stop to North Korea’s cybercrime techniques on a global scale.