Ever wondered how a seemingly innocent LinkedIn message can turn into a cybersecurity nightmare? A Spanish aerospace company recently fell victim to a malware attack through a malicious LinkedIn recruiter1.
Research done by ESET shows that the attacker posed as a Meta recruiter and infected the company’s network with malware, notably a new backdoor named “LightlessCan.2” This attack has been attributed to the Lazarus Group, a North Korea-aligned cyber espionage group. We delve into the attack details, the tools used, and the broader implications of this cyber threat.
The Attack Methodology
LinkedIn has become a hotbed for spearphishing attacks. In this case, the fake recruiter approached employees of the Spanish aerospace company. They were asked to complete two coding assignments,
Quiz2.exe, as part of a supposed hiring process. Little did they know, these files were malware in disguise3.
The first challenge displayed a basic
"Hello, World!” message, while the second printed a Fibonacci sequence4. Executing these files initiated the malware attack, giving the threat actors initial access to the company’s network.
LightlessCan: A New Level of Sophistication
One of the malware payloads deployed was a new, publicly undocumented backdoor named LightlessCan. This tool represents a significant leap in the Lazarus Group’s capabilities. Unlike its predecessor, BlindingCan, LightlessCan mimics a wide range of native Windows commands, enabling discreet execution within the RAT (Remote Access Trojan) itself.
To ensure stealth, the malware employs “execution guardrails,” making sure the payload can only be decrypted on the intended victim’s machine. This technique adds a layer of protection, making detection and analysis significantly more challenging for security researchers.
Who Are the Lazarus Group?
The Lazarus Group is not new to cyberespionage. Also known as HIDDEN COBRA5, this North Korean-aligned group has been active since 2009. They are responsible for high-profile incidents, including the Sony Pictures hack, WannaCry outbreak, and tens-of-millions-of-dollar cyberheists.
They have a varied portfolio, dabbling in cyberespionage, cybersabotage, and financial gain. Aerospace companies are particularly appealing to them, given North Korea’s interest in missile technology and violations of UN Security Council resolutions.
Why Does This Matter?
This attack isn’t an isolated incident but part of a broader campaign known as “Operation DreamJob,” focused on defense and aerospace companies6. Money gained from these cyberattacks partially funds North Korea’s missile development, according to UN reports7. As such, these attacks have both national security and global implications.
The attack on the Spanish aerospace company is a cautionary tale of how a simple LinkedIn message can escalate into a full-blown cyberattack. The Lazarus Group continues to evolve, deploying increasingly sophisticated malware like LightlessCan.
Could this be a sign of things to come? The answer is, most likely, yes. And that makes the need for robust cybersecurity measures all the more urgent.
- https://www.security.nl/posting/812442/Spaans+luchtvaartbedrijf+via+malafide+LinkedIn-recruiter+besmet+met+malware ↩︎
- https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/ ↩︎
- https://twitter.com/HackingLZ/status/1707752930395197886 ↩︎
- https://en.wikipedia.org/wiki/Fibonacci_sequence ↩︎
- https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/north-korea ↩︎
- https://attack.mitre.org/campaigns/C0022/ ↩︎
- https://edition.cnn.com/2023/05/10/politics/north-korean-missile-program-cyberattacks/index.html ↩︎