ESET researchers have uncovered a Lazarus attack on an aerospace company in Spain. The attackers used multiple tools, including a newly discovered backdoor dubbed LightlessCan by ESET.
North Korea-linked operatives of the Lazarus group gained access to the company’s network last year after a successful spear phishing attack in which they impersonated a recruiter for Meta, which owns the Facebook, Instagram and WhatsApp platforms. The ultimate goal of the attack was recorded as cyber espionage.
The fake recruiter contacted the victim via LinkedIn Messaging, a feature provided by the professional social networking platform LinkedIn. He sent the victim two coding tests that were said to be required as part of the hiring process. Through collaboration with the affected aerospace company, ESET Research was able to analyze the toolkit used by Lazarus by recreating the initial access steps. The group targeted multiple company employees.
Lazarus sent multiple payloads to victims’ systems. The most important of these was a complex, previously unrecorded remote access trojan (RAT) called LightlessCan. The trojan mimics the functions of a wide range of native Windows commands and is often exploited by attackers by replacing noisy console executions with execution that is hidden within the RAT itself. This strategic change enhances the stealth feature, making it more challenging to detect and analyze the attacker’s activities.
Peter Kálnai, the ESET researcher who uncovered the attack, said, “The most alarming aspect of this attack is the new payload type LightlessCan, a complex and possibly self-improving tool that exhibits a high level of sophistication in its design and operation and appears to provide a significant improvement in malicious capabilities compared to its predecessor BlindingCan.”
The North Korea-linked cyber espionage group Lazarus, also known as HIDDEN COBRA, is believed to have been active since 2009. Lazarus possesses all three key characteristics of cybercriminal activity: espionage, sabotage and the desire for financial gain. Aerospace firms have been identified as familiar targets for North Korea-linked APT groups.