Lazarus Group Impersonates Recruiter from Meta to Goal Spanish Aerospace Agency

Sep 29, 2023THNCyber Espionage / Malware

The North Korea-linked Lazarus Group has been linked to a cyber espionage assault focusing on an unnamed aerospace firm in Spain during which staff of the agency have been approached by the menace actor posing as a recruiter for Meta.

“Employees of the targeted company were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable file presenting itself as a coding challenge or quiz,” ESET safety researcher Peter Kálnai said in a technical report shared with The Hacker Information.

The assault is a part of a long-standing spear-phishing marketing campaign referred to as Operation Dream Job that is orchestrated by the hacking crew in an try and lure staff working at potential targets which might be of strategic curiosity are enticed with profitable job alternatives to activate the an infection chain.

Cybersecurity

Earlier this March, the Slovak cybersecurity firm detailed an assault wave aimed toward Linux customers that concerned using bogus HSBC job gives to launch a backdoor named SimplexTea.

The final word goal of the most recent intrusion, which is designed for Home windows techniques, is the deployment of an implant codenamed LightlessCan.

“The most worrying aspect of the attack is the new type of payload, LightlessCan, a complex and possibly evolving tool that exhibits a high level of sophistication in its design and operation, and represents a significant advancement in malicious capabilities compared to its predecessor, BLINDINGCAN,” Kálnai stated.

Spanish Aerospace Firm

BLINDINGCANadditionally recognized by the title AIRDRY or ZetaNile, is a feature-rich malware able to harvesting delicate info from infiltrated hosts.

All of it commenced with the goal receiving a message on LinkedIn from a faux recruiter working for Meta Platforms, who then despatched two coding challenges as a part of the supposed hiring course of and satisfied the sufferer to execute the take a look at information (named Quiz1.iso and Quiz2.iso) hosted on a third-party cloud storage platform.

ESET stated the ISO information, which contained malicious binaries Quiz1.exe and Quiz2.exe, have been downloaded and executed on a company-provided system, successfully ensuing within the self-compromise of the system.

UPCOMING WEBINAR

Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools

Able to deal with new AI-driven cybersecurity challenges? Be part of our insightful webinar with Zscaler to deal with the rising menace of generative AI in cybersecurity.

Supercharge Your Skills

The assault paves the way in which for an HTTP(S) downloader known as NickelLoader, which permits the attackers to deploy any desired program into the reminiscence of the sufferer’s laptop, together with the LightlessCan distant entry trojan and a variant of BLINDINGCAN known as miniBlindingCan (aka AIRDRY.V2).

LightlessCan comes fitted with assist for as many as 68 distinct instructions, though in its present model, solely 43 of these instructions are carried out with some performance. On tminiBlindingCan’s fundamental accountability is to transmit system info and obtain information retrieved from a distant server, amongst others.

A noteworthy trait of the marketing campaign is using execution guardrails to forestall the payloads from being decrypted and run on every other machine aside from that of the meant sufferer’s.

“LightlessCan mimics the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions,” Kálnai stated. “This strategic shift enhances stealthiness, making detecting and analyzing the attacker’s activities more challenging.”

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.


Author: data@thehackernews.com (The Hacker Information)
Date: 2023-09-29 08:10:00

Source link

spot_imgspot_img

Subscribe

Related articles

spot_imgspot_img
Alina A, Toronto
Alina A, Torontohttp://alinaa-cybersecurity.com
Alina A, an UofT graduate & Google Certified Cyber Security analyst, currently based in Toronto, Canada. She is passionate for Research and to write about Cyber-security related issues, trends and concerns in an emerging digital world.

LEAVE A REPLY

Please enter your comment!
Please enter your name here