A North Korean state-sponsored hacker crew known as Lazarus Group has been observed using a previously undocumented backdoor in an attack targeting a Spanish aerospace company. This attack is part of an ongoing campaign tracked as “Operation DreamJob,” where the group uses social engineering techniques to compromise its targets using fake job offers as the lure.
The threat actor gained initial access to the company’s systems via a spear-phishing attack masquerading as a recruiter for the Facebook parent company Meta. The fake recruiter contacted a company’s employee on LinkedIn and sent two coding challenges required as part of a hiring process, which the victim downloaded and executed on a company device.
After gaining access to the network, the Lazarus hackers deployed multiple payloads, including a previously unseen remote access trojan (RAT) dubbed ‘LightlessCan’ by ESET researchers who discovered this espionage campaign.
According to the researchers, LightlessCan is more advanced than its predecessor, BlindingCan. One of the most notable aspects of the RAT is that it mimics the functionalities of a wide range of native Windows commands, making detecting and analyzing the attacker’s activities more challenging.
“Another mechanism used to minimize exposure is the employment of execution guardrails; Lazarus made sure the payload can only be decrypted on the intended victim’s machine. Execution guardrails are a set of protective protocols and mechanisms implemented to safeguard the integrity and confidentiality of the payload during its deployment and execution, effectively preventing unauthorized decryption on unintended machines, such as those of security researchers,” ESET noted in a technical report.
The researchers observed the attackers deploying two malicious executables, Quiz1.exe and Quiz2.exe, which were delivered via .iso images hosted on a third-party cloud storage platform.
The first payload is an HTTP(S) downloader called “NickelLoader” used by the attackers to deploy two types of RATs, a variant of the BlindingCan backdoor and LightlessCan.
“The most worrying aspect of the attack is the new type of payload, LightlessCan, a complex and possibly evolving tool that exhibits a high level of sophistication in its design and operation, representing a significant advancement in malicious capabilities compared to its predecessor, BlindingCan,” ESET said. “The attackers can now significantly limit the execution traces of their favorite Windows command line programs that are heavily used in their post-compromise activity. This maneuver has far-reaching implications, impacting the effectiveness of both real-time monitoring solutions and of post-mortem digital forensic tools.”