North Korea’s Lazarus Group upgrades its main malware • The Register

/in


The Lazarus Group, the cybercrime gang linked to the North Korean government, has been named as the perpetrator of an attack against a Spanish aerospace firm, using a dangerous new piece of malware.

Lazarus’s fingerprints were all over a recent attack on an unnamed Spanish aerospace firm, according to security shop ESET, which opined the incident mimics previous Lazarus campaigns that used nearly identical ingress tactics.

ESET asserts this attack bears hallmarks of the Lazarus campaign known as Operation Dream Job right down to the types of encryption used, which mirrors that used in a campaign offering fake jobs at Amazon.

Like those other campaigns, suspected Lazarus hackers used LinkedIn to contact employees at the unnamed Spanish firm. Posing as recruiters from Meta, the Lazarus operatives suggested downloading a pair of coding challenges. Those files were bundled with attack code that, when printed, triggered a payload and installed malware.

ESET asserts that the goal of the attacks, and other Dream Job breaches, was espionage. “Pilfering the know-how of an aerospace company is aligned with long-term goals manifested by Lazarus,” wrote ESET senior malware researcher Peter Kálnai.

The Lazarus Group activity has previously targeted numerous high-profile orgs, including others in aerospace, chemical manufacturing and other nationally critical industries. Lazarus has also pulled off a number of cryptocurrency heists and was named as being behind the Sony Pictures hack in 2015.

Lazarus’s dangerous new toolset

In previous attacks – including the Amazon Dream Job campaign – Lazarus used a remote access Trojan known as BlindingCan.

ESET’s Kálnai suggested this recent attack used an upgraded malware tool named “LightlessCan” that has support for 68 commands, although only 43 appear to be implemented.

ESET’s analysts believes LightlessCan is based on BlindingCan source code, as the order of shared commands is “preserved significantly, even though there may be differences in their indexing.”

LightlessCan adds mimicked Windows command functionality – the tool can mimic commands like ping, ipconfig, systeminfo, sc, net, and the like with a hardcoded “The…

Source…