Cybersecurity aficionados have been sounded alarm bells by the experts at ESET regarding a new variant of malware orchestrated by the infamous Lazarus Group. Dubbed “LightlessCan”, this update has been labelled as a more stealthy beast than its predecessors, making its detection devilishly difficult.
The modus operandi of deploying this malware is shrouded in employment scam gimmicks where unsuspecting users are enticed to install a malicious payload, camouflaged as a work task or a document associated with the company. A recent blog post from the firm on September 29 furnished details on this new entrant in the cyber underworld, its functionality, potential damage to network systems, and the way it weaves the web leading to cyber espionage.
The Lazarus Group is no newbie in the cybercrime landscape. From crypto hacks reaping millions, such as the one that swooped over $40M from the sports betting platform, Stake.com, to the infamous intrusions into Bithumb, Nicehash and traditional bigwigs like AstraZeneca and Sony.
Moving on to the workings of LightlessCan, it delivers its malicious payload via a Remote Access Trojan (RAT) which denotes a high level of sophistication in comparison to the older versions. The malware mimics a plethora of native Windows commands, making the RAT blend in for a more discreet execution. This camouflage doubles the challenge in detecting and analyzing the hackers’ movements.
Moreover, LightlessCan employs what’s termed as guardrails, which act as a security blanket for the payload during its execution; effectively thwarting unauthorized decryption on unintended machines including those of security researchers. Following initial access through a social media hiring process, the malware puts to use multiple encryptions, like AES-128 and RC6 with a 256-bit key, taking clues from previous campaigns such as the Amazon incident.
The final stages of RAT deployment work with droppers and loaders that plant the payload into the system. As per the report, LightlessCan impressively holds support for up to 68 distinct commands. Note that all of these are not fully functional in the current version, which holds only 43 active commands.
Pontification on the technical aspects apart, the team appealed for a widespread awareness of such scams to significantly bring down their occurrence and safeguard digital securities. The Spanish aerospace company hack operated by the Lazarus Group with the aid of the LightlessCan model is a perfect case in point, where the miscreants gained network access through a camouflaged recruiter operation, via a series of targeted campaigns on LinkedIn.
Source: Cryptonews