en English
en Englishfr Frenchde Germanit Italianru Russianes Spanish

Crypto firms beware: Lazarus’ new malware can now bypass detection

The malware payload “LightlessCan” — used in fake job scams — is far more challenging to detect than its predecessor, warns cybersecurity researchers at ESET.

News

Join us on social networks

North Korean hacking collective Lazarus Group has been using a new type of “sophisticated” malware as part of its fake employment scams — which researchers warn is far more challenging to detect than its predecessor.

According to a Sept. 29 post from ESET’s senior malware researcher Peter Kalnai, while analyzing a recent fake job attack against a Spain-based aerospace firm, ESET researchers discovered a publicly undocumented backdoor named LightlessCan.

#ESET researchers unveiled their findings about an attack by the North Korea-linked #APT group #Lazarus that took aim at an aerospace company in Spain.

? Find out more in a #WeekinSecurity video with @TonyAtESET. pic.twitter.com/M94J200VQx

— ESET (@ESET)

September 29, 2023

The Lazarus Group’s fake job scam typically involves tricking victims with a potential offer of employment at a well-known firm. The attackers would entice victims to download a malicious payload masqueraded as documents to do all sorts of damage.

However, Kalnai says the new LightlessCan payload is a “significant advancement” compared to its predecessor BlindingCan.

“LightlessCan mimics the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions.”

“This approach offers a significant advantage in terms of stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools,” he said.

?? Beware of fake LinkedIn recruiters! Find out how Lazarus group exploited a Spanish aerospace company via trojanized coding challenge. Dive into the details of their cyberespionage campaign in our latest #WeLiveSecurity article. #ESET #ProgressProtected

— ESET (@ESET)

September 29, 2023

The new payload also uses what the researcher calls “execution guardrails” — ensuring that the payload can only be decrypted on the intended victim’s machine, thereby avoiding unintended decryption by security researchers.

Kalnai said that one case that involved the new malware came from an attack on a Spanish aerospace firm when an employee received a message from a fake Meta recruiter named Steve Dawson in 2022.

Soon after, the hackers sent over the two simple coding challenges embedded with the malware.

The initial contact by the attacker impersonating a recruiter from Meta. Source: WeLiveSecurity.

Cyberespionage was the main motivation behind Lazarus Group’s attack on the Spain-based aerospace firm, he added.

Related: 3 steps crypto investors can take to avoid hacks by the Lazarus Group

Since 2016, North Korean hackers have stolen an estimated $3.5 billion from cryptocurrency projects, according to a Sept. 14 report by blockchain forensics firm Chainalysis.

In September 2022, cybersecurity firm SentinelOne warned of a fake job scam on LinkedIn, offering potential victims a job at Crypto.com as part of a campaign dubbed “Operation Dream Job.”

Meanwhile, the United Nations has beetrying to curtail North Korea’s cybercrime tactics at the international level — as it is understood North Korea is using the stolen funds to support its nuclear missile program.

Magazine:$3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous post Is Uptober here? Bitcoin, Ethereum suddenly pumps, wiping $70M in shorts
Next post Energy & precious metals – weekly review and outlook