The Lazarus group, a notorious cybercrime organization, has recently targeted an aerospace company based in Spain. This attack involved the use of multiple tools, including a previously undocumented backdoor called “LightlessCan.” Reports indicate that the threat actor gained access to the company’s network last year through a spearphishing campaign, in which they posed as a recruiter from Meta.
The attack began when the threat group contacted one of the employees within the targeted organization through LinkedIn, a popular professional social networking platform. The threat actor posed as a recruiter from Meta and reached out to the victim. They then sent the victim two coding challenges and a job description PDF, which turned out to be malware. When the victim executed the malicious payload, the attacker gained unauthorized access to the company’s network.
To carry out this attack, the Lazarus group provided the victim with two malicious executables named Quiz1.exe and Quiz2.exe. These executables were embedded within two ISO images, Quiz1.iso and Quiz2.iso. The victim’s task was to rewrite the code in the C++ programming language.
At first glance, the executables appeared to be simple programs, with one being a “Hello World” program and the other a Fibonacci program. However, these executables had a hidden layer of complexity. When executed, they triggered the installation of additional payloads inside the ISO images. The first payload, known as “NickelLoader,” allowed the threat actor to deploy any program into the system’s memory. Subsequently, other payloads were delivered, which the threat actor used for various purposes.
One of the most notable payloads discovered in this attack was the LightlessCan backdoor. This backdoor is considered the successor to the Lazarus RAT BlindingCan. LightlessCan boasts 68 distinct commands, 43 of which lack their original functionality. However, the shared commands between LightlessCan and BlindingCan remain identical in their order.
A significant update in LightlessCan is its ability to mimic Windows Native commands like ping, ipconfig, systeminfo, sc, net, and more. This allows the threat actor to blend in with legitimate system activities, making it harder for security measures to detect their presence.
In response to this attack, ESET, a leading cybersecurity company, has published a comprehensive report detailing the compromise and providing additional information about the source code, payload, exploit chain, and system compromise. This report serves as a valuable resource for organizations looking to understand and mitigate the risks associated with the Lazarus group and its tactics.
It is crucial for companies to protect themselves from vulnerabilities like these. Implementing robust security measures, such as patching software regularly, using intrusion detection systems, and providing cybersecurity awareness training to employees, can significantly reduce the risk of falling victim to cyber attacks.
In conclusion, the Lazarus group’s recent attack on the aerospace company in Spain highlights the persistent and evolving nature of cybercrime. By impersonating a recruiter and delivering malicious payloads disguised as coding challenges, the threat actor was able to infiltrate the target’s network. The discovery of the LightlessCan backdoor further emphasizes the group’s sophisticated techniques. It is imperative for organizations to stay vigilant, educate their employees about cybersecurity best practices, and employ advanced security solutions to protect against such threats.