A notorious cybercriminal group known for its ties to the North Korean regime has continued its series of recent attacks targeting an unnamed Spanish aerospace company.
Lazarus, notably known for its 2017 WannaCry attack, has been adapting and evolving its attack methods.
This latest attack is a variant of their ‘Dream Job’ campaign that recently targeted Amazon employees.
Malware disguised as a coding challenge
The employees were contacted by what appeared to be Meta recruiters via LinkedIn, looking for people to complete a coding challenge to demonstrate their capabilities.
Instead of launching the encryption challenge, the files installed malware that was likely intended to steal aerospace data, according to ESET researchers. Aerospace data has long been a target of North Korean hackers and the theory behind it is its use in North Korea’s nuclear missile programs. Some of the malware included Lazarus’ latest backdoor software, LightlessCan, which is based on the group’s work with its previous payload, BlindingCan.
“The most concerning aspect of the attack is the new type of payload, LightlessCan, a complex and possibly evolving tool that exhibits a high level of sophistication in its design and operation, representing a significant advance in malicious capabilities compared to its predecessor, BlindingCan. “said the ESET reporter.
“Attackers can now significantly limit the execution traces of their favorite Windows command-line programs that are heavily used in their post-compromise activity. “This move has far-reaching implications, affecting the effectiveness of both real-time monitoring solutions and post-mortem digital forensic tools.”