North Korea Hacker Group Lazarus Group Uses Malware "Sophisticated"

JAKARTA - North Korea's hacker group Lazarus Group has used a new type of malware "sophisticated" as part of their fake work fraud. This was reminded by researchers because it was much more difficult to detect than its predecessor.

According to an ESET Senior Malware Researcher, Peter Kryptelnai, on September 29, while analyzing the latest false work attacks on a Spanish-based aerospace firm ESET researchers discovered an unprecedented publicly documented backdoor called LightlessCan.

Fake work scams by Lazarus Group usually involve victim fraud with potential job offers at well-known companies. The attackers will persuade the victim to download dangerous payloads disguised as documents to perform various damages.

However, Kryptelnai said that the new LightlessCan payload was "significant progress" compared to its predecessor, BlindingCan.

"LightlessCan imitates the functionality of various original Windows commands, allowing for a secret implementation of the RAT itself rather than the implementation of noisy consoles," said Kryptelnai.

"This approach offers significant benefits in terms of non-detection, both in avoiding real-time monitoring solutions such as EDR, as well as post-mortem digital forensic tools," he added.

The new payload also uses what researchers call an "implementation shield," ensuring that the payload can only be decrypted on the intended victim's machine, thus avoiding accidental decryption by security researchers.

Kryptelnai said one case involving this new malware stems from an attack on a Spanish-based aerospace company when an employee received a message from a fake Meta recruiter named Steve Dawson in 2022.

"In addition, the main motivation behind Lazarus Group's attack on Spanish-based aerospace companies is cyberespionage," said Kryptelnai.

Since 2016, North Korean hackers have stolen about $3.5 billion from crypto projects, the forensic firm blockchain Chainalysis reported on September 14.

In September 2022, cybersecurity firm SentinelOne warned about fraudulent work scams on LinkedIn, offering potential job victims at Crypto.com as part of a campaign called "Operation Dream Job."

Meanwhile, the United Nations has sought to limit North Korea's cybercrime tactics to international levels, as it is understood that North Korea is using stolen funds to support its nuclear missile program.