North Korea's Lazarus Group upgrades its main malware

LightningCan evades infosec tools in new and interesting ways

The Lazarus Group, the cybercrime gang linked to the North Korean government, has been named as the perpetrator of an attack against a Spanish aerospace firm, using a dangerous new piece of malware.

Lazarus’s fingerprints were all over a recent attack on an unnamed Spanish aerospace firm, according to security shop ESET, which opined the incident mimics previous Lazarus campaigns that used nearly identical ingress tactics.

ESET asserts this attack bears hallmarks of the Lazarus campaign known as Operation Dream Job right down to the types of encryption used, which mirrors that used in a campaign offering fake jobs at Amazon.

Like those other campaigns, suspected Lazarus hackers used LinkedIn to contact employees at the unnamed Spanish firm. Posing as recruiters from Meta, the Lazarus operatives suggested downloading a pair of coding challenges. Those files were bundled with attack code that, when printed, triggered a payload and installed malware.

ESET asserts that the goal of the attacks, and other Dream Job breaches, was espionage. "Pilfering the know-how of an aerospace company is aligned with long-term goals manifested by Lazarus," wrote ESET senior malware researcher Peter Kálnai.

The Lazarus Group activity has previously targeted numerous high-profile orgs, including others in aerospace, chemical manufacturing and other nationally critical industries. Lazarus has also pulled off a number of cryptocurrency heists and was named as being behind the Sony Pictures hack in 2015.

Lazarus’s dangerous new toolset

In previous attacks - including the Amazon Dream Job campaign - Lazarus used a remote access Trojan known as BlindingCan.

ESET’s Kálnai suggested this recent attack used an upgraded malware tool named “LightlessCan” that has support for 68 commands, although only 43 appear to be implemented.

ESET’s analysts believes LightlessCan is based on BlindingCan source code, as the order of shared commands is "preserved significantly, even though there may be differences in their indexing."

LightlessCan adds mimicked Windows command functionality - the tool can mimic commands like ping, ipconfig, systeminfo, sc, net, and the like with a hardcoded "The operation completed successfully" string as output to obfuscate the reality of what the RAT is doing.

Additionally, the security biz noted that the commands were all executed discreetly within the RAT itself rather than being executed in the system console. Doing so "offers a significant advantage in terms of stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools," ESET’s researcher wrote.

"The attackers can now significantly limit the execution traces of their favourite Windows command line programs that are heavily used in their post-compromise activity," ESET said. "This manoeuvre has far-reaching implications, impacting the effectiveness of both real-time monitoring solutions and of post-mortem digital forensic tools."

ESET told The Register that, while LightlessCan was observed in the attack on the Spanish aerospace firm, it's not the only time researchers from the company have spotted it. The security firm now believes it’s likely to become The Lazarus Group’s standard tool. ®

More about


Send us news

Other stories you might like