The Lazarus Group, a North Korean hacking collective, has introduced a new malware variant known as LightlessCan in its fraudulent employment schemes.
Unlike previous instances of Lazarus malware, this new malware poses a significant challenge to detection.
ESET’s senior malware researcher, Peter Kálnai, disclosed these findings in a post on September 29 after analyzing a fake job attack on a Spanish aerospace firm.
Lazarus Group’s typical approach involves luring victims with enticing employment offers at reputable companies, tricking them into downloading malicious payloads disguised as documents.
LightlessCan represents a notable improvement over its predecessor, BlindingCan.
Kálnai explained that LightlessCan can mimic various native Windows commands, allowing discreet execution within the Remote Access Trojan (RAT) itself, reducing noisy console activity.
Additionally, the new malware incorporates “execution guardrails” to ensure that only the intended victim’s machine can decrypt the payload.
All this aids in preventing unintended decryption by security researchers.
This enhanced stealthiness poses challenges for real-time monitoring solutions like EDRs and postmortem digital forensic tools.
It’s noteworthy that North Korean hackers have reportedly stolen approximately $3.5 billion from cryptocurrency projects since 2016, as per blockchain forensics firm Chainalysis on September 14.
Coinlive previously reported on how the Lazarus Group made a $55M raid on cryptocurrency exchange CoinEx.
The United Nations recognises the threat the collective poses, and has been actively working to curb North Korea’s cybercrime tactics on an international scale.
The UN believes that the stolen funds are being used to support North Korea’s nuclear missile program.