Crypto firms beware: Lazarus’ new malware can now bypass detection
Lazarus Group, a North Korean hacking collective, has been using a new type of malware as part of its fake employment scams. This malware, dubbed LightlessCan, is far more challenging to detect than its predecessor, BlindingCan.
LightlessCan mimics the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions. This approach offers a significant advantage in terms of stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools.
The new payload also uses what researchers call "execution guardrails," ensuring that the payload can only be decrypted on the intended victim's machine, thereby avoiding unintended decryption by security researchers.
In one case, Lazarus Group used LightlessCan to attack a Spanish aerospace firm. The hackers sent a fake job offer to an employee, and when the employee clicked on a link in the email, their computer was infected with the malware.
Lazarus Group's attack on the aerospace firm was motivated by cyberespionage. The hackers were likely trying to steal sensitive data from the company.
