spanish Aerospace firm Hacking

The North Korea-linked Lazarus Group has been linked to a cyber espionage attack targeting an unnamed aerospace company in Spain in which employees of the firm were approached by the threat actor posing as a recruiter for Meta.

"Employees of the targeted company were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable file presenting itself as a coding challenge or quiz," ESET security researcher Peter Kálnai said in a technical report shared with The Hacker News.

The attack is part of a long-standing spear-phishing campaign called Operation Dream Job that's orchestrated by the hacking crew in an attempt to lure employees working at prospective targets that are of strategic interest, enticed them with lucrative job opportunities to activate the infection chaina

Earlier this March, the Slovak cybersecurity company detailed an attack wave aimed at Linux users that involved the use of bogus HSBC job offers to launch a backdoor named SimplexTea.

The ultimate objective of the latest intrusion, which is designed for Windows systems, is the deployment of an implant codenamed LightlessCan.

"The most worrying aspect of the attack is the new type of payload, LightlessCan, a complex and possibly evolving tool that exhibits a high level of sophistication in its design and operation, and represents a significant advancement in malicious capabilities compared to its predecessor, BLINDINGCAN," Kálnai said.

Spanish Aerospace Firm

BLINDINGCAN, also known by the name AIRDRY or ZetaNile, is a feature-rich malware capable of harvesting sensitive information from infiltrated hosts.

It all commenced with the target receiving a message on LinkedIn from a fake recruiter working for Meta Platforms, who then sent two coding challenges as part of the supposed hiring process and convinced the victim to execute the test files (named Quiz1.iso and Quiz2.iso) hosted on a third-party cloud storage platform.




ESET said the ISO files, which contained malicious binaries Quiz1.exe and Quiz2.exe, were downloaded and executed on a company-provided device, effectively resulting in the self-compromise of the system and the breach of the corporate network.

The attack paves the way for an HTTP(S) downloader referred to as NickelLoader, which allows the attackers to deploy any desired program into the memory of the victim's computer, including the LightlessCan remote access trojan and a variant of BLINDINGCAN referred to as miniBlindingCan (aka AIRDRY.V2).

LightlessCan comes fitted with support for as many as 68 distinct commands, although in its current version, only 43 of those commands are implemented with some functionality. tminiBlindingCan's main responsibility is to transmit system information and download files retrieved from a remote server, among others.

A noteworthy trait of the campaign is the use of execution guardrails to prevent the payloads from being decrypted and run on any other machine other than that of the intended victim's.

"LightlessCan mimics the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions," Kálnai said. "This strategic shift enhances stealthiness, making detecting and analyzing the attacker's activities more challenging."

The Lazarus Group and other threat clusters originating from North Korea have been prolific in recent months, having staged attacks spanning manufacturing and real estate sectors in India, telecoms companies in Pakistan and Bulgaria, and government, research, and defense contractors in Europe, Japan, and the U.S., according to Kasle rakh

The commands supported by miniBlindingCan are:

  • Send system details (computer name, Windows version, code page).
  • Update communication interval (value from C2 server).
  • Stop command execution.
  • Send 9,392-byte configuration to C2 server.
  • Update encrypted 9,392-byte configuration on file system.
  • Wait for the next command.
  • Update communication interval (from configuration).
  • Download & decrypt files from C2 server.
  • Execute the provided shellcode.

The LightlessCan backdoor

ESET says LightlessCan is a successor to BlindingCan, based on source code and command ordering similarities, featuring a more sophisticated code structure, different indexing, and enhanced functionality.

The version sampled from the attack on the Spanish aerospace organization is 1.0, featuring support for 43 commands. However, ESET says there are another 25 commands in the code which have not been implemented yet.

The malware replicates many native Windows commands like ping, ipconfig, netstant, mkdir, schstasks, systeminfo, etc., so it can execute them without appearing in the system console for better stealthiness against real-time monitoring tools.

Since those commands are closed-source, ESET comments that Lazarus has either managed to reverse engineer the code or drew inspiration from the open-source versions.

List of Windows commands implemented internally on the new backdoor
List of Windows commands implemented internally on the new backdoor
Source: ESET

Another interesting aspect reported by ESET is that one of the LightlessCan payloads they sampled was encrypted and could only be decrypted using a key dependent on the target's environment.

This is an active protection measure to prevent outside access to the victim's computer, for example, by security researchers or analysts.

This discovery underscores that Lazarus' Operation Dreamjob is not solely driven by financial objectives, such as cryptocurrency theft, but also encompasses espionage goals.

Also, the introduction of a new sophisticated payload, the LightlessCan, is a concerning development for organizations that might find themselves in the cross-hairs of the North Korean threat group.







Comments

Post a Comment

Popular posts from this blog

July 2024 Patch Tuesday Unleashes a Torrent of Updates

to a pair of cowboy fighter pilots (ahem, naval aviators) in  Top Gun . Less well known, but still  Alive And Kicking  (like the song released the same year by Simple Minds), the TIFF image file format also was introduced that year by Aldus Corporation, now known as Adobe. This CVE addresses a critical, easily exploitable vulnerability specific to this 38-year-old file format. A specially-crafted, malicious TIFF file, uploaded to a vulnerable server, could have triggered the server that receives the file to execute malicious code embedded in the TIFF file. Patch your servers to take them out of the danger zone. CVE-2024-38032 – Microsoft Xbox Remote Code Execution Vulnerability Users of the Xbox gaming console who also happen to have a wireless adapter, and connect wirelessly to their local network, should beware of strangers lurking on their network who can attack these devices. The (so far) hypothetical threat is that someone who is connected to your wireless network ca...
Read more

CVE-2023-26369 Adobe acrobat update

Adobe's  Patch Tuesday update  for September 2023 comes with a patch for a critical actively exploited security flaw in Acrobat and Reader that could permit an attacker to execute malicious code on susceptible systems. The vulnerability, tracked as CVE-2023-26369, is rated 7.8 for severity on the CVSS scoring system and impacts both Windows and macOS versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020. Described as an out-of-bounds write, successful exploitation of the bug could lead to code execution by opening a specially crafted PDF document. Adobe did not disclose any additional details about the issue or the targeting involved. "Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader," the company  acknowledged  in an advisor CVE-2023-26369 affects the below versions - Acrobat DC (23.003.20284 and earlier versions) - Fixed in 23.006.20320 Acrobat Reader DC (23.003.20284 ...
Read more

US court holds Israeli spyware liable for hacking Meta’s WhatsApp

Image
Gujarat India NRI News Entertainment Sports Lifestyle & Fashion Health Business World Science & Technology VIDEO GUJARATI E-PAPER SEARCH Gujarat Samachar World US court holds Israeli spyware liable for hacking Meta’s WhatsApp Updated: Dec 22nd, 2024 A US court on Friday held in favour of tech giant WhatsApp in a lawsuit accusing Israel’s NSO Group Technologies Ltd of exploiting a bug in the messaging app to install spy software that allowed unauthorised surveillance. US District Judge Phyllis Hamilton in Oakland, California, granted a motion by WhatsApp and found NSO liable for hacking and breach of contract. According to the court document, “WhatsApp filed this lawsuit, alleging that defendants sent malware, using WhatsApp’s system, to approximately 1,400 mobile phones and devices designed to infect those devices to surveil the users of those phones and devices.”  The targets included journalists, human rights activists and dissidents. Among the 1,400 mobile phones th...
Read more