News

Lazarus new malware can now bypass detection

North Korean hacking collective Lazarus Group has been using a new type of malware as part of its fake employment scams which researchers warn is far more challenging to detect than its predecessor.

Published

on

North Korean hacking collective Lazarus Group has been using a new type of malware as part of its fake employment scams which researchers warn is far more challenging to detect than its predecessor.

ESET’s senior malware researcher Peter Kálnai, while analyzing a recent fake job attack against a Spain-based aerospace firm, ESET researchers discovered a publicly undocumented backdoor named LightlessCan.

The Lazarus Group’s fake job scam typically involves tricking victims with a potential offer of employment at a well-known firm. The attackers would entice victims to download a malicious payload masqueraded as documents to do all sorts of damage.

However, Kálnai says the new LightlessCan payload is a “significant advancement” compared to its predecessor BlindingCan.

LightlessCan mimics the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions.

“This approach offers a significant advantage in terms of stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools,” he said.

The new payload also uses what the researcher calls “execution guardrails” — ensuring that the payload can only be decrypted on the intended victim’s machine, thereby avoiding unintended decryption by security researchers.

Kálnai said that one case that involved the new malware came from an attack on a Spanish aerospace firm when an employee received a message from a fake Meta recruiter named Steve Dawson in 2022.

Soon after, the hackers sent over the two simple coding challenges embedded with the malware. Cyberespionage was the main motivation behind Lazarus Group’s attack on the Spain-based aerospace firm

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Copyright © 2021 cryptonews.lk