The Lazarus threat group, which is linked to North Korea, recently conducted a sophisticated phishing attack on a Spanish aerospace company using an undocumented remote access trojan (RAT). The attackers misrepresented themselves as representatives of Meta, the parent company of Facebook, Instagram, and WhatsApp. In this attack, an employee of the targeted company unknowingly downloaded malware onto a work computer.

The newly discovered RAT, named LightlessCan ESET, represents a significant advancement in malicious capabilities compared to its predecessor, BlindingCan. It mimics the functionalities of various native Windows commands, allowing discreet execution within the RAT itself rather than using the console. This makes it more challenging to detect and analyze the attacker’s activities. The RAT’s functionalities include running Windows commands like Ping, IPConfig, SystemInfo, SC, and NET.

The use of these commands within the RAT itself, instead of executing them remotely, helps the attackers evade real-time monitoring solutions and forensic tools. ESET speculates that Lazarus may have reverse-engineered closed-source system binaries to incorporate the additional functionality into LightlessCan. Moreover, the malware utilizes execution guardrails to prevent decryption on unauthorized machines, making it difficult for security researchers to analyze the code.

Although the targeted aerospace company was not named, the employee’s engagement with the hackers occurred through LinkedIn Messaging. The victim was tricked into downloading malware believing that the files were C++ coding challenge programs as part of the recruitment process. This spear-phishing attack is a continuation of Lazarus’ Operation Dream Job campaign, which employs job-offer lures.

North Korean APTs, particularly Lazarus, have a history of targeting the aerospace and defense sectors. The United Nations sanctions monitors have previously discovered North Korea’s attempts to acquire aeronautical data for its intercontinental ballistic missile development program. Earlier this year, a U.S. aeronautics firm was targeted multiple nation-state APTs exploiting known Zoho and Fortinet vulnerabilities, though the country of origin was not disclosed the cybersecurity and law enforcement agencies involved.

[Definitions: RAT – Remote Access Trojan; APT – Advanced Persistent Threat; ESET – A cybersecurity company; LinkedIn – A professional networking platform; Native Windows commands – Built-in commands within the Windows operating system; Console – A text-based interface for executing commands on a computer system; Monitoring solutions – Tools used to monitor and detect security threats on computer systems; EDR – Endpoint Detection and Response; Forensic tools – Tools used for digital forensics analysis; Closed-source – Software whose source code is not publicly available; Native commands – Commands provided the operating system; Execution guardrails – Mechanisms designed to limit the execution of code to specific machines; Security researchers – Professionals who analyze and research security threats and vulnerabilities; Spear-phishing – Targeted phishing attacks; APTs – Advanced Persistent Threats; United Nations – An international organization focused on global cooperation.]