The North Korea-linked Lazarus Group has been linked to a cyber espionage attack targeting an unnamed aerospace company in Spain in which employees of the firm were approached by the threat actor posing as a recruiter for Meta.
“Employees of the targeted company were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable file presenting itself as a coding challenge or quiz,” ESET security researcher Peter Kálnai said in a technical report shared with The Hacker News.
The attack is part of a long-standing spear-phishing campaign called Operation Dream Job that’s orchestrated by the hacking crew in an attempt to lure employees working at prospective targets that are of strategic interest, enticed them with lucrative job opportunities to activate the infection chain.
Earlier this March, the Slovak cybersecurity company detailed an attack wave aimed at Linux users that involved the use of bogus HSBC job offers to launch a backdoor named SimplexTea.
The ultimate objective of the latest intrusion, which is designed for Windows systems, is the deployment of an implant codenamed LightlessCan.
“The most worrying aspect of the attack is the new type of payload, LightlessCan, a complex and possibly evolving tool that exhibits a high level of sophistication in its design and operation, and represents a significant advancement in malicious capabilities compared to its predecessor, BLINDINGCAN,” Kálnai said.
BLINDINGCAN, also known by the name AIRDRY or ZetaNile, is a feature-rich malware capable of harvesting sensitive information from infiltrated hosts.
It all commenced with the target receiving a message on LinkedIn from a fake recruiter working for Meta Platforms, who then sent two coding challenges as part of the supposed hiring process and convinced the victim to execute the test files (named Quiz1.iso and Quiz2.iso) hosted on a third-party cloud storage platform.
ESET said the ISO files, which contained malicious binaries Quiz1.exe and Quiz2.exe, were downloaded and executed on a company-provided device, effectively resulting in the self-compromise of the system and the breach of the corporate network.
The attack paves the way for an HTTP(S) downloader referred to as NickelLoader, which allows the attackers to deploy any desired program into the memory of the victim’s computer, including the LightlessCan remote access trojan and a variant of BLINDINGCAN referred to as miniBlindingCan (aka AIRDRY.V2).
LightlessCan comes fitted with support for as many as 68 distinct commands, although in its current version, only 43 of those commands are implemented with some functionality. tminiBlindingCan’s main responsibility is to transmit system information and download files retrieved from a remote server, among others.
A noteworthy trait of the campaign is the use of execution guardrails to prevent the payloads from being decrypted and run on any other machine other than that of the intended victim’s.
“LightlessCan mimics the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions,” Kálnai said. “This strategic shift enhances stealthiness, making detecting and analyzing the attacker’s activities more challenging.”
The Lazarus Group and other threat clusters originating from North Korea have been prolific in recent months, having staged attacks spanning manufacturing and real estate sectors in India, telecoms companies in Pakistan and Bulgaria, and government, research, and defense contractors in Europe, Japan, and the U.S., according to Kaspersky.