A renowned cybercriminal group known for its ties to the North Korean regime has continued its string of recent attacks by targeting an unnamed Spanish aerospace company.
Lazarus, best known for its 2017 WannaCry attack, has adapted and evolved its attack methods.
This latest attack is a variation of the “Dream Job” campaign that recently targeted Amazon workers.
Malware disguised as a coding challenge
Employees were contacted by what appeared to be recruiters from Meta via LinkedIn, who were looking for individuals to complete a coding challenge to demonstrate their capabilities.
Instead of launching the encryption challenge, the files instead installed malware most likely intended to steal aerospace data ESET researchers. Aerospace data has long been a target of North Korean hackers and the theory behind this is its use in North Korea’s nuclear missile programs. Some of the malware included Lazarus’ latest backdoor software, LightlessCan, which builds on the group’s work with their previous payload, BlindingCan.
“The most concerning aspect of the attack is the new type of payload, LightlessCan, a complex and potentially evolving tool that exhibits a high level of sophistication in its design and operation, representing a significant advance in malicious capabilities compared to its predecessor, BlindingCan. ” said the ESET reporter.
“The attackers can now significantly reduce the execution traces of their favorite Windows command-line tools, which are heavily used in their post-compromise activities. This maneuver has far-reaching implications, impacting the effectiveness of both real-time monitoring solutions and post-mortem digital forensic tools.”
Through The register