In a concerning development, cybersecurity researchers at ESET have uncovered a new and sophisticated malware variant, named “LightlessCan,” deployed by the notorious North Korean hacking collective, Lazarus Group. This malware, utilized in fake job scams, presents a significant challenge for detection compared to its predecessor, BlindingCan.
The Evolution of Deception
Leveraging a recent fake job attack against a Spain-based aerospace firm, ESET’s senior malware researcher, Peter Kálnai, detailed the discovery of LightlessCan in a post on September 29. The Lazarus Group, known for its elaborate fake employment scams, entices victims with promises of potential job opportunities at reputable organizations. Once hooked, victims unwittingly download a malicious payload disguised as seemingly innocuous documents, leading to various forms of cyber damage.
Kálnai emphasizes that LightlessCan marks a “significant advancement” over BlindingCan due to its ability to mimic native Windows commands. This capability allows discreet execution within the Remote Access Trojan (RAT) itself, avoiding the noisy console executions that were more characteristic of its predecessor.
Stealth in Action
“This approach offers a significant advantage in terms of stealthiness,” Kálnai notes, “both in evading real-time monitoring solutions like EDRs (Endpoint Detection and Response), and postmortem digital forensic tools.”
Additionally, LightlessCan introduces what Kálnai terms “execution guardrails,” a security measure ensuring that the payload can only be decrypted on the intended victim’s machine. This strategic move prevents unintended decryption by security researchers, adding another layer of complexity to the already elusive malware.
A Real-World Example
One specific case involving LightlessCan was an attack on a Spanish aerospace firm. In this instance, an employee received a message from a fake Meta recruiter named Steve Dawson in 2022. The attackers, posing as potential employers, sent over two seemingly innocent coding challenges embedded with the LightlessCan malware. Kálnai notes that cyberespionage was the primary motivation behind Lazarus Group’s attack on the aerospace firm.
Implications for Crypto Firms
Crypto firms are now placed on high alert as Lazarus Group’s use of LightlessCan raises the stakes in the ongoing cat-and-mouse game between hackers and cybersecurity experts. The malware’s enhanced stealth features and encryption safeguards pose a serious threat to detection mechanisms, emphasizing the need for heightened vigilance and updated cybersecurity measures within the crypto industry.
As the landscape of cyber threats continues to evolve, the ability to adapt and fortify defenses against such advanced malware becomes paramount for organizations in the crypto space. The Lazarus Group’s latest move serves as a stark reminder that innovation in cybersecurity is essential to stay one step ahead of relentless adversaries.
