A Spanish aerospace firm has fallen victim to an organized attack orchestrated by scammers who are using LinkedIn to trick the company’s employees. The attackers are posing as recruiters on the professional social networking platform and targeting employees who use their corporate computers for personal purposes. This cyberespionage campaign has been attributed to the Lazarus group, a notorious hacking group based in North Korea. The group is known for its high-profile attacks, including the Sony Pictures Entertainment hack in 2016 and the WannaCry ransomware attack in 2017.
The attackers are using a backdoor called LightlessCan, which has the ability to evade detection by real-time security monitoring software and even cybersecurity experts. This backdoor is a predecessor to Lazarus’ signature Remote Access Trojan (RAT) BlindingCan. ESET Research, a cybersecurity company, has published a report detailing this newly discovered campaign by Lazarus.
The use of LinkedIn as a tool for targeting large companies is not new for Lazarus. In 2022, it was revealed that the group used fake LinkedIn job offers to steal $625 million from the Ronin Network, a blockchain network that supports the popular crypto game Axie Infinity and Axie DAO.
The attackers gain initial access to the company’s network through spearphishing attacks, where they pose as recruiters from Meta, a well-known technology company. They contact employees through LinkedIn Messaging and send them two coding challenges as part of the hiring process. These challenges are disguised as image files but are actually executable files that contain trojanized PDF viewers or trojanized SSL/VPN clients. When the victims execute these files, their systems become compromised, allowing the attackers to gain access.
During the final stages of the attack, the attackers infect the compromised system with an HTTP(S) downloader called NickelLoader. They use this downloader to deploy two RATs (Remote Access Trojans): the simplified version of BlindingCan called miniBlindingCan, and the newly discovered LightlessCan. LightlessCan supports up to 68 different commands and is designed to be highly stealthy, making it difficult to detect and analyze.
According to Victor Acin, the Manager at Outpost24, “as companies increase their cybersecurity capabilities and consolidate their technology, it becomes more and more difficult to exploit vulnerabilities in the traditional way. This, along with finding faults within the application logic and its programming, makes zero-day vulnerabilities rare. Social engineering attacks, like the one used in this campaign, are becoming more common as threat actors target the weakest link in the security chain: the user.”
Aerospace firms are attractive targets for Lazarus and other North Korea-sponsored APT groups because they often have access to sensitive technology. Additionally, the proceeds from cyberattacks can help fund the development of North Korea’s missile program.
This latest campaign by Lazarus serves as a reminder of the ever-evolving tactics and tools employed by cybercriminals. It is crucial for organizations to remain vigilant and continually update their security measures to protect against these sophisticated attacks.