North Korean Lazarus Group Utilizes Advanced Malware in Job Scams
Summary:
The North Korean Lazarus Group is deploying a more advanced malware, dubbed LightlessCan, in their fake job scams, making detection significantly more challenging. First spotted in an attack on a Spanish aerospace firm, the upgraded payload has innovative features that enhance its stealth and protect it from unintended decryption by security analysts. The hackers typically bait victims with fake lucrative job offers and trick them into downloading a malicious payload. Since 2016, North Korean hackers have reportedly stolen an estimated $3.5 billion from cryptocurrency projects.
The North Korean hacker cohort, Lazarus Group, has been employing advanced malware in their so-called job scam ruses, posing a bigger challenge for detection than its prior iteration. On September 29, Peter Kálnai, a senior malware investigator at ESET, detailed his analysis of a recent faux recruitment scam targeted at a Spanish aerospace company, where a previously unregistered backdoor named LightlessCan was identified.
The MO for the Lazarus Group's recruitment fraud usually involves baiting victims with a potentially lucrative job opportunity at a reputable company. The unsuspecting candidates are then tricked into downloading a harmful payload disguised as documents, which then wreak havoc on their systems. However, Kálnai highlighted that the new LightlessCan payload represents a "major upgrade" from its older counterpart, BlindingCan.
LightlessCan imitates various native Windows commands, facilitating stealthy execution inside the RAT, as opposed to conspicuous console executions. "This method provides a considerable benefit in terms of evasiveness, aiding in avoiding real-time surveillance solutions like EDRs, and in thwarting post-incident digital forensic tools," he commented.
The updated payload also incorporates what Kálnai refers to as "execution guardrails", ensuring the payload can only be decoded on the destined victim's system, thereby circumventing unintended decryption by security analysts. The new malware was first spotted in an attack on a Spanish aerospace company, where an employee was sent a message from a fictitious Meta recruiter, Steve Dawson, in 2022. The hackers swiftly sent over a pair of uncomplicated coding challenges laced with the malware.
Cyberespionage was the primary impetus for Lazarus Group's assault on the Spanish firm, Kálnai added. Reports estimate that North Korean hackers have pilfered approximately $3.5 billion from cryptocurrency projects since 2016, as reported by blockchain forensics firm Chainalysis on September 14. In the previous year, cybersecurity company SentinelOne flagged up a job scam on LinkedIn, where victims were offered jobs at Crypto.com, under an operation called "Dream Job".
Meanwhile, the United Nations is making concerted efforts to curb North Korea's cybercriminal activities on the global stage given the understanding that North Korea is diverting the illicit funds to sustain its nuclear missile initiative.
Published At
10/2/2023 3:04:57 AM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.