The Lazarus Group, a North Korean hacking collective, has introduced a new malware variant known as LightlessCan in its fraudulent employment schemes.

Unlike previous instances of Lazarus malware, this new malware poses a significant challenge to detection.

First Detection

ESET's senior malware researcher, Peter Kálnai, disclosed these findings in a post on September 29 after analysing a fake job attack on a Spanish aerospace firm.

Lazarus Group's typical approach involves luring victims with enticing employment offers at reputable companies, tricking them into downloading malicious payloads disguised as documents.

The victim in this case was contacted via LinkedIn Messaging, a feature within the LinkedIn professional social networking platform.

They received two coding challenges as part of the hiring process, which the victim downloaded and executed on a company device. One challenge was a basic project displaying "Hello, World!" text, while the other printed a Fibonacci sequence.

ESET Research cooperated with the affected aerospace company to reconstruct the initial access steps and analyse Lazarus Group's toolset.

LightlessCan

Dubbed "LightlessCan" by the ESET team, the malware represents a notable improvement over its predecessor, BlindingCan.

Kálnai explained that LightlessCan can mimic various native Windows commands, allowing discreet execution within the Remote Access Trojan (RAT) itself, reducing noisy console activity.

Additionally, the new malware incorporates "execution guardrails" to ensure that only the intended victim's machine can decrypt the payload.

All this aids in preventing unintended decryption by security researchers.

This enhanced stealthiness poses challenges for real-time monitoring solutions like EDRs and postmortem digital forensic tools.

The Lazarus Group

The Lazarus Group, also known as HIDDEN COBRA, is a North Korean cyberespionage group with a history dating back to at least 2009.

It's noteworthy that North Korean hackers have reportedly stolen approximately $3.5 billion from cryptocurrency projects since 2016, as per blockchain forensics firm Chainalysis on September 14.

Coinlive previously reported on how the Lazarus Group made a $55M raid on cryptocurrency exchange CoinEx.

The United Nations recognises the threat the collective poses, and has been actively working to curb North Korea's cybercrime tactics on an international scale.

The UN believes that the stolen funds are being used to support North Korea's nuclear missile program.