DailyPost 2562

If you don’t know the Lazarus hacking group, you are still on the fringes of understanding the hacking world and the wheeling dealing, tech, organization, facilitation and support being provided to these groups. Many a cyber-attack have been attributed to them between 2010 to 2021. A notable attack of this group in the early which gained it notoriety has been 2014 attack on Sony Pictures. The group has been responsible for hacking financial institutions Ecuador, Poland, Mexico etc. Lazarus is also credited with the famous 2016 Bangladesh Bank heist, a central bank, had successfully stolen US$81 million. The reigning deity of financial institutions hacking after a lull seems to changing stance.

Recruitment is a new area where they are trying their hands on and through such hacks get deep in espionage into institutions gained entry in that manner. The institutions undeniably would be of critical value. Recently there was a news that Lazarus hacker breached an aerospace firm with new LightlessCan malware. The aerospace company in question is located in Spain. North Korean Lazarus hacking group targeted its employees presenting fake job opportunities to hack into the corporate network. The backdoor used was previously unknown ‘LightlessCan.’

The hackers were running an “Operation Dreamjob” campaign which was utilized for this purpose. The campaign or process entails approaching a target over LinkedIn and engaging him in a fake employee recruitment process. While the process would be on, at some stage the victim would require to download a file. And it actually happened. The victim / employee of the company did so on a company computer, which allowed the North Korean hackers to breach the corporate network. What was to follow is known to all of us; cyber espionage. This incident was investigated by ESET.

They were able to reconstruct with clarity the initial access and retrieve components of the Lazarus toolset. This reconstruction included previously undocumented backdoor, which was given the name ‘LightlessCan.’ The ESET reconstruction started with a LinkedIn message by a Lazarus hacker pretending to be a recruiter from Meta name Steve Dawson. As the discussion progressed, the victim was asked to prove his proficiency in C++ programming. For this purpose there was a downloading requirement of some quizzes that were shared as executables with ISO files. After this an “additional payload from ISO images was silently dropped onto the victim’s machine via DLL side loading using a legitimate program.” The damage was done.

Sanjay Sahay

Have a nice evening.

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

Scroll to Top