Lazarus mimics Meta, targets Spanish aerospace firm


North Korean cyber-gang Lazarus has been intercepted by threat analyst ESET after it tricked an unnamed aerospace firm in Spain into downloading malware. It did this by posing as a recruiter for Meta on LinkedIn.

ESET made the disclosure on its We Live Security blog after it detected Lazarus operatives masquerading as recruiters for the tech giant on the career-focused LinkedIn social media platform.

ADVERTISEMENT

Lazarus was also spotted wielding a new weapon in its cyber-arsenal – a backdoor remote-access-trojan (RAT) called LightlessCan. In layman’s terms, this is a malicious piece of software that essentially allows a threat actor to break past a target computer’s defenses without being noticed in order to hijack it.

LightlessCan, believed to be a successor to an earlier prototype called BlindingCan, appears to have served this purpose well enough until ESET cottoned on to it.

“The most significant update is mimicked functionality of many native Windows commands like ping, ipconfig, systeminfo, sc, net, and so on,” said ESET. “In this case, these commands are executed discreetly within the RAT itself, rather than being executed visibly in the system console.”

ESET adds that the LightlessCan upgrade offers Lazarus “a significant advantage in terms of stealthiness, both in evading real-time monitoring solutions [...] and postmortem digital forensic tools.”

“Lazarus operators obtained initial access to the company’s network last year after a successful spear phishing campaign, masquerading as a recruiter for Meta – the company behind Facebook, Instagram, and WhatsApp,” said ESET.

Screenshot of lure LinkedIn message used by Lazarus
Screenshot of LinkedIn message used as lure by Lazarus, in which threat actors pretend to be recruiters working for Meta

Lazarus agents posing as recruiters contacted their chosen victim via LinkedIn’s messaging service, sending two ‘coding challenges’ presented as part of the ‘hiring process.’

Unfortunately, the victim took the bait, downloading the LightlessCan malware on a company device. The attack at least provided ESET with the information needed to track the latest Lazarus campaign.

ADVERTISEMENT

“ESET Research was able to reconstruct the initial access steps and analyze the toolset used by Lazarus thanks to cooperation with the affected aerospace company,” it said.

The cybersecurity analyst believes this is the latest salvo in Lazarus’ Operation DreamJob campaign, the ultimate purpose of which is cyberespionage. The campaign dates back to 2020, though Lazarus itself has been around for around fifteen years, having chalked up some notable hacks, including Sony Pictures in 2014 and WannaCry in 2017.

Largely shunned by the international community, North Korea is believed by experts to be able and willing to go after anyone to access the critical technologies it needs for its national development – it even hacked its ally Russia last month, according to researchers.