Crypto firms beware: Lazarus’ new malware can now bypass detection

cointelegraph.com:

North Korean hacking collective Lazarus Group has been using a new type of “sophisticated” malware as part of its fake employment scams — which researchers warn is far more challenging to detect than its predecessor.

According to a Sept. 29 post from ESET’s senior malware researcher Peter Kálnai, while analyzing a recent fake job attack against a Spain-based aerospace firm, ESET researchers discovered a publicly undocumented backdoor named LightlessCan.

#ESET researchers unveiled their findings about an attack by the North Korea-linked #APT group #Lazarus that took aim at an aerospace company in Spain.

▶️ Find out more in a #WeekinSecurity video with @TonyAtESET. pic.twitter.com/M94J200VQx

The Lazarus Group’s fake job scam typically involves tricking victims with a potential offer of employment at a well-known firm. The attackers would entice victims to download a malicious payload masqueraded as documents to do all sorts of damage.

However, Kálnai says the new LightlessCan payload is a “significant advancement” compared to its predecessor BlindingCan.

“LightlessCan mimics the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions.”

“This approach offers a significant advantage in terms of stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools,” he said.

️‍♂️ Beware of fake LinkedIn recruiters! Find out how Lazarus group exploited a Spanish aerospace company via trojanized coding challenge. Dive into the details of their cyberespionage campaign in our latest #WeLiveSecurity article. #ESET #ProgressProtected

The new payload also uses what the researcher calls “execution guardrails” —