Lazarus Tricking Employees with Trojanized Coding Challenges


Lazarus group has been recently discovered to have targeted an Aerospace company in Spain, which involved deploying several tools, including an undocumented backdoor named “LightlessCan.”

Reports indicate that the threat actor gained access to the organization’s network last year using a spearphishing campaign impersonating a recruiter from Meta.

The threat group contacted one of the victims inside the organization via LinkedIn social networking, posing as a recruiter from Meta. The threat actor then sent two coding challenges and a job description PDF, which was malware, resulting in the execution of the malicious payload.

Scammer contacting via Linkedin
Scammer contacting via Linkedin (Source: ESET)

Lazarus Coding Challenges

The victim was provided with two malicious executables, Quiz1.exe and Quiz2.exe, embedded inside two ISO images, Quiz1.iso and Quiz2.iso. The victim was tasked with rewriting the code in C++ programming language.

Fibonacci program from Quiz2.exe
Fibonacci program from Quiz2.exe (Source: ESET)

The two executables were a simple Hello World program and a Fibonacci program. However, the executables were much more than they printed on the console.

Both executables trigger the installation of additional payloads inside the ISO images. The first payload that was delivered was named “NickelLoader” which enables the threat actor to deploy any program on the system’s memory. Followed by other additional payloads which are used by the threat actor for various purposes.

LightlessCan – New Backdoor

One of the most interesting payloads used was the LightlessCan, which was found to be the successor of the Lazarus RAT BlindingCan. LightlessCab supports 68 distinct commands, of which 43 lack their original functionality.

LightlessCan can be confirmed to have been derived from BlindingCan because the order of the shared commands between LightlessCan and BlindingCan has no significant changes.

One of the most important updates on this new backdoor is mimicking Windows Native commands like ping, ipconfig, systeminfo, sc, net, etc.

ESET has published a complete report about this compromise and other detailed information, providing additional information about the source code, payload, exploit chain of the payload, compromising the system, and other information.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.



Source link