North Korea’s state-sponsored hacking group, Lazarus, has been found to possess a new and highly sophisticated backdoor malware named “LightlessCan.” Researchers from ESET discovered the malware after it was used in a cyberattack on a Spanish aerospace company. They believe that LightlessCan is based on source code from Lazarus Group’s well-known BlindingCan remote access Trojan (RAT).
Lazarus Group has gained notoriety over the years for its devastating cyberattacks on various organizations and financial institutions. It first gained widespread attention in 2014 with its attack on Sony Pictures. Since then, it has been responsible for stealing millions of dollars through attacks on banks, infiltrating defense, government, healthcare, and energy organizations, and executing cryptocurrency heists and supply chain attacks.
ESET’s analysis of the attack on the Spanish aerospace company revealed that Lazarus actors initially gained access through a spear-phishing campaign. The threat actor posed as a recruiter for Meta, the parent company of Facebook, and contacted developers at the aerospace firm via LinkedIn Messaging. The employee who fell for the phishing attempt received coding challenges disguised as a test of their programming skills. However, these challenges contained malicious executables that downloaded additional payloads onto the employee’s system upon execution.
The first payload deployed by Lazarus was an HTTPS downloader dubbed NickelLoader. This tool allowed the threat actors to execute any program of their choice in the compromised system’s memory. In this case, Lazarus used it to drop two RATs: a limited-function version of BlindingCan and the newly discovered LightlessCan backdoor. The role of the simplified version of BlindingCan, known as miniBlindingCan, was to collect system information and execute commands from the command-and-control (C2) server.
According to ESET researcher Peter Kálnai, LightlessCan represents a significant new threat for targeted organizations due to its design, which allows Lazarus to conceal malicious activity on compromised systems. This stealthiness hampers real-time monitoring controls and forensic tools from detecting the malware.
LightlessCan includes support for up to 68 distinct commands, many of which mimic native Windows commands for gathering system and environment information. Currently, only 43 of these commands are functional, suggesting that the tool is still under development. However, the researchers note that LightlessCan is more advanced than its predecessor, BlindingCan, as it enables the execution of native Windows commands within the RAT itself.
The use of native Windows commands within the malware provides a significant advantage in terms of stealthiness. It allows LightlessCan to evade real-time monitoring solutions like endpoint detection and response (EDRs) and postmortem digital forensic tools. Additionally, the threat actors have encrypted LightlessCan’s payload in such a way that it can only be decrypted using a specific decryption key tied to the compromised machine. This prevents decryption on any other system, such as one belonging to a security researcher.
Overall, Lazarus Group’s addition of LightlessCan to its arsenal highlights the group’s ongoing development of advanced and evasive malware. Organizations must remain vigilant and implement robust security measures to defend against these persistent threats.