LightlessCan Malware

Cybercriminals have executed an espionage attack against an undisclosed aerospace company in Spain. In this incident, the threat actors assumed the guise of a recruiter affiliated with Meta (formerly Facebook) to target the company's employees. These employees were contacted through LinkedIn by the fraudulent recruiter and subsequently deceived into downloading and opening a threatening executable file. The deceptive file was presented as a coding challenge or quiz. The compromised systems were subsequently infected with a previously unknown backdoor threat tracked as LightlessCan.

This cyberattack is part of a well-established spear-phishing campaign known as "Operation Dream Job." It is orchestrated by the Lazarus Group, an APT (Advanced Persistent Threat) actor linked to North Korea. The primary objective of Operation Dream Job is to lure employees who are working within organizations of strategic interest. The attackers use the promise of attractive job opportunities as bait to initiate the infection chain, with the ultimate goal of compromising their targets' systems and data.

A Multi-stage Attack Chain Delivers the LightlessCan Malware

The attack chain begins when the targeted individual is sent a message via LinkedIn from a fraudulent recruiter claiming to represent Meta Platforms. This bogus recruiter then proceeds to send two coding challenges, seemingly as a part of the recruitment process. They successfully convinced the victim to execute these test files, which are hosted on a third-party cloud storage platform and named Quiz1.iso and Quiz2.iso.

As cybersecurity experts have identified, these ISO files carry malicious binary files known as Quiz1.exe and Quiz2.exe. Victims are expected to download and execute the files on a device provided by the targeted company. Doing so will result in the system becoming compromised, leading to a breach of the corporate network.

This breach opens the door for the deployment of an HTTP(S) downloader known as NickelLoader. With this tool, the attackers gain the ability to inject any desired program directly into the victim's computer's memory. Among the programs deployed were the LightlessCan remote access Trojan and a variant of BLINDINGCAN, known as miniBlindingCan (also referred to as AIRDRY.V2). These threatening tools could grant the attackers remote access and control over the compromised system.

LightlessCan Represents an Evolution of Lazarus' Powerful Arsenal

The attack's most concerning aspect revolves around the introduction of a novel payload named LightlessCan. This sophisticated tool exhibits a significant advancement in harmful capabilities when compared to its predecessor, BLINDINGCAN (also known as AIDRY or ZetaNile). BLINDINGCAN was already a feature-rich malware capable of extracting sensitive information from compromised hosts.

LightlessCan is equipped with support for up to 68 distinct commands, although its current version incorporates only 43 of these commands with at least some functionality. As for miniBlindingCan, it primarily handles tasks such as transmitting system information and downloading files retrieved from a remote server.

A noteworthy characteristic of this campaign is the implementation of execution guardrails. These measures prevent the payloads from being decrypted and executed on any machine other than the one of the intended victim.

LightlessCan is designed to operate in a way that emulates the functionalities of numerous native Windows commands. This allows the RAT to perform discreet execution within itself, avoiding the need for noisy console operations. This strategic shift enhances stealthiness, making it more challenging to detect and analyze the attacker's activities.