Researchers discovered an undocumented backdoor dubbed LightlessCan being used by the North Korean threat actor Lazarus Group to target a Spanish aerospace company.
Eset researchers said an worker of the aerospace agency was lured with a faux job alternative. The attacker, masquerading as a Meta recruiter, tricked the sufferer into downloading and executing malicious code on an organization machine.
The assault is a part of an ongoing marketing campaign tracked as “Operation DreamJob,” through which faux recruiters attain out by LinkedIn (see: North Korean Hackers Find Value in LinkedIn).
Attackers persuade victims to self-compromise their techniques by using totally different methods equivalent to luring the goal to execute a malicious PDF viewer to see the total contents of a job provide. Or, they encourage the sufferer to attach with a Trojanized SSL/VPN consumer.
“The most worrying aspect of the attack is the new type of payload, LightlessCan, a complex and possibly evolving tool that exhibits a high level of sophistication in its design and operation, representing a significant advancement in malicious capabilities compared to its predecessor, BlindingCan,” researchers stated.
Eset says is noticed victims receiving two malicious executables,
Quiz2.exewhich have been delivered through
.iso photos hosted on a third-party cloud storage platform.
“The first challenge is a very basic project that displays the text ‘Hello, World!’” researchers stated. “The second prints a Fibonacci sequence up to the largest element smaller than the number entered as input.” A Fibonacci sequence is a collection of numbers through which every quantity is the sum of the 2 previous ones, usually beginning with 0 and 1. This malicious marketing campaign sequence begins with 1 and a couple of.
As soon as the output is printed, each executables set off the malicious motion of putting in further payloads from the ISO photos onto the goal’s system.
The primary payload is an HTTP(S) downloader dubbed NickelLoader. This enables the attackers to deploy any desired program into the reminiscence of the sufferer’s pc.
NickelLoader is utilized by attackers to ship two varieties of RATs, a variant of the BlindingCan backdoor with restricted performance however equivalent in command processing logic and the newly launched LightlessCan.
Researchers at Eset name LightlessCan the successor of the group’s flagship BlindingCan Trojan. It could possibly help as much as 68 distinct instructions, listed in a customized operate desk. Within the present model, 1.0, solely 43 of these instructions are applied with some performance, researchers stated.
“The remaining commands are present but have a formal implementation in the form of placeholders, lacking actual functionality. The project behind the RAT is definitely based on the BlindingCan source code, as the order of the shared commands is preserved significantly, even though there may be differences in their indexing.”
Researchers stated the attackers can considerably restrict traces of the Home windows command-line packages used post-compromise exercise, affecting the effectiveness of real-time monitoring options and autopsy digital forensic instruments.
Unique Publish url: https://www.databreachtoday.com/hackers-impersonate-meta-recruiter-to-target-aerospace-firm-a-23199
Date: 2023-10-01 21:46:09