North Korea’s state-sponsored Lazarus Group appears to have added a complex and still evolving new backdoor to its malware arsenal, first spotted in a successful cyber compromise of a Spanish aerospace company.
Researchers from ESET who discovered the malware are tracking the new threat as “LightlessCan” and believe it is based on source code from the threat group’s flagship BlindingCan remote access Trojan (RAT).
Lazarus is a North Korean state-backed threat group that US organizations and enterprise security teams have become very familiar with over the years. Since it first gained wide notoriety with a devastating attack on Sony Pictures in 2014, the Lazarus group has established itself as one of the most pernicious advanced persistent threat (APT) groups that are currently active. Over the years, it has stolen tens of millions of dollars with attacks on banks and other financial institutions; exfiltrated terabytes of sensitive information from defense contractors, government agencies, healthcare organizations and energy firms; and executed numerous cryptocurrency heists and supply chain attacks.
Spear-Phishing as Meta for Initial Access
ESET’s analysis of the attack on the Spanish aerospace company showed that Lazarus actors gained initial access via a successful spear-phishing campaign targeted specific employees at the company. The threat actor masqueraded as a recruiter for Facebook parent Meta, and contacted developers at the aerospace firm via LinkedIn Messaging.
An employee who was tricked into following up on the initial message received two coding challenges, purportedly to check the employee’s proficiency in the C++ programming language. In reality, the coding challenges — hosted on a third-party cloud storage platform — contained malicious executables that surreptitiously downloaded additional payloads on the employee’s system when they attempted to solve the challenge.
The first of these payloads was an HTTPS downloader that ESET researchers dubbed NickelLoader. The tool basically allowed Lazarus group actors to deploy any program of their choice to the compromised system’s memory. In this case, the Lazarus group used NickelLoader to drop two RATs — a limited-function version of BlindingCan and the LightlessCan backdoor. The role of the simplified version of BlindingCan — which ESET has named miniBlindingCan — is to collect system information such as computer name, Windows version, and configuration data, and to also receive and execute commands from the command-and-control (C2) server.
For organizations that the Lazarus group is targeting, LightlessCan represents a significant new threat, according to ESET researcher Peter Kálnai wrote in a blog post detailing the newly discovered malware.
The malware’s design gives Lazarus group actors a way to significantly contain traces of malicious activity on compromised systems thereby limiting the ability of real-time monitoring controls and forensic tools to spot it.
A RAT Hiding From Real-Time Monitoring & Forensic Tools
LightlessCan integrates support for as many as 68 distinct commands, many of which mimic native Windows commands, such as ping, ipconfig, systeminfo, and net for gathering system and environment information. Only 43 of those commands are actually functional at the moment — the rest are sort of placeholders that the threat actor will presumably make fully functional at some later point, suggesting the tool is still under development.
“The project behind the RAT is definitely based on the BlindingCan source code, as the order of the shared commands is preserved significantly, even though there may be differences in their indexing,” Kálnai explained in the blog post.
However, LightlessCan appears to be significantly more advanced than BoundlessCan. Among other things, the new Trojan enables execution of the native Windows commands within the RAT itself.
“This approach offers a significant advantage in terms of stealthiness, both in evading real-time monitoring solutions like endpoint detection and response (EDRs), and postmortem digital forensic tools,” Kálnai wrote.
The threat actor also has rigged LightlessCan in such a manner that its encrypted payload can only be decrypted using a decryption key that is specific to the compromised machine. The goal is to ensure that the payload decryption is possible only on target systems and not in any other environment, Kálnai noted, such as a system belonging to a security researcher.