Lazarus Deploys New Backdoor to Target Aerospace Firm
Researchers discovered an undocumented backdoor named LightlessCan being used by the North Korea-backed Lazarus Group to target a Spanish aerospace company.
Eset researchers said an employee of the aerospace firm was lured with a fake job opportunity. The attacker masquerading as a Meta recruiter and tricked the victim into downloading and executing the malicious codes on a company device.
The hackers obtained initial access to the company’s network last year after a successful spear-phishing campaign and masquerading as a recruiter for Meta.
The ongoing attack campaign called “Operation DreamJob” is run by Lazarus, where a fake recruiter reach out to the victim via LinkedIn and sends two coding challenges required as part of the hiring process.
“The most worrying aspect of the attack is the new type of payload, LightlessCan, a complex and possibly evolving tool that exhibits a high level of sophistication in its design and operation, representing a significant advancement in malicious capabilities compared to its predecessor, BlindingCan,” researchers said.
Recently, federal authorities warned of “significant risk” for potential attacks on healthcare and public health sector entities by the Lazarus group involving exploitation of a critical vulnerability in 24 ManageEngine IT management tools from Zoho.
The alert issued by the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center warned that the cybercriminal group has been targeting “internet backbone infrastructure and healthcare entities” in Europe and the United States with exploits of a vulnerability tracked as CVE-2022-47966.
Authorities also warned about a new malware tool called CollectionRAT, which appears to operate like most RATs by allowing the attacker to run arbitrary commands among other capabilities. CollectionRAT is believed to be connected to the Jupiter/EarlyRAT malware family, which has previously been linked to a Lazarus subgroup, Andariel.
In the latest campaign, attackers convinced victims to self-compromise their systems by employing different strategies such as luring the target to execute a malicious PDF viewer to see the full content of a job offer. Or, they encourage the victim to connect with a Trojanized SSL/VPN client, being provided with an IP address and login details.
As part of a hiring process, the victim gets two malicious executables, Quiz1.exe and Quiz2.exe, which were delivered via Quiz1.iso and Quiz2.iso images hosted on a third-party cloud storage platform.
The victim unknowingly downloads and executes these files on a company device.
“The first challenge is a very basic project that displays the text ‘Hello, World!'” researchers said. “The second prints a Fibonacci sequence up to the largest element smaller than the number entered as input. A Fibonacci sequence is a series of numbers in which each number is the sum of the two preceding ones, typically starting with 0 and 1.” But this malicious campaign sequence starts with 1 and 2.
Once the output is printed, both executables trigger the malicious action of installing additional payloads from the ISO images onto the target’s system.
The first payload that is delivered to the victims’ device is an HTTP(S) downloader dubbed NickelLoader. This allows the attackers to deploy any desired program into the memory of the victim’s computer.
The NickelLoader is used by attackers to deliver two types of RATs, a variant of the BlindingCan backdoor with limited functionality but identical in command processing logic and the newly introduced LightlessCan.
Researchers at Eset called LightlessCan the successor of the group’s flagship HTTP(S) Lazarus RAT named BlindingCan. It can support up to 68 distinct commands, indexed in a custom function table, but in the current version, 1.0, only 43 of those commands are implemented with some functionality, researchers said.
“The remaining commands are present but have a formal implementation in the form of placeholders, lacking actual functionality. The project behind the RAT is definitely based on the BlindingCan source code, as the order of the shared commands is preserved significantly, even though there may be differences in their indexing,” researchers said.
Researchers said the attackers can significantly limit the execution traces of their Windows command-line programs that are used in their post-compromise activity, which could have a far-reaching implication, impacting the effectiveness of both real-time monitoring solutions and post-mortem digital forensic tools.