Cybersecurity experts at ESET have issued a stark warning to businesses about the emergence of a new malware threat known as “LightlessCan” from the notorious Lazarus Group. ESET has noted that this advanced malware poses a heightened challenge in terms of detection compared to its predecessors.
The malware primarily infiltrates networks through employment scams, enticing victims to unwittingly install a malicious payload, cleverly disguised as a job-related task or document associated with the targeted company.
In a recent blog post published on September 29, ESET provided an in-depth analysis of LightlessCan’s functionality, detailing its potential damage to network systems, various execution chains leading to potential cyber espionage, and more.
The Lazarus Group, infamous for its involvement in high-profile crypto hacks resulting in millions of dollars in losses, notably wiped over $40 million from the sports betting platform Stake.com in a prior attack.
The group has also been linked to major incidents involving Bitthumb, Nicehash, alongside breaches on established entities like AstraZeneca, Sony, and the infamous WannaCry ransomware attack.
ESET’s cybersecurity experts outlined the modus operandi of the attackers, elucidating that they employ a sophisticated remote access Trojan (RAT) to deliver payloads into victim networks, a notable advancement from previous iterations.
“LightlessCan emulates a wide range of native Windows commands, enabling discreet execution within the RAT itself, thus avoiding noisy console executions. This strategic shift bolsters stealthiness, significantly heightening the challenge of detecting and analyzing the attacker’s activities,” noted the experts.
Additionally, LightlessCan employs guardrails as protective measures for its payload during execution, effectively thwarting unauthorized decryption on unintended machines, such as those belonging to security researchers.
After initial access was secured through a social media-based hiring process, the attackers utilized multiple layers of encryption, including AES-128 and RC6 with a 256-bit key, reminiscent of prior campaigns, including the infamous Amazon incident.
In the final stages, RATs (Remote Access Trojans) collaborate with droppers and loaders, embedding the payload deep within the systems.
ESET underscored the significance of LightlessCan, describing it as a sophisticated RAT with support for an extensive array of distinct commands, although version 1.0 presently implements only 43 of these commands with full functionality.
Lastly, the security team emphasized the importance of heightened awareness regarding related scams, aiming to substantially reduce their occurrence and promote digital safety.
In a notable case study, ESET unveiled a Lazarus Group hack targeting a Spanish aerospace company, employing the newly discovered LightlessCan model. The perpetrators gained access to the company’s networks last year through a series of targeted campaigns, posing as recruiters for the organization. Contacting the victim through LinkedIn, they assigned two coding tasks as part of their hiring process, one involving a basic “Hello, World!” display and the other focusing on printing a Fibonacci sequence.