The Lazarus hacking group, associated with North Korea, launched a cyberattack on a Spanish aerospace company by enticing its employees with bogus job offers, eventually infiltrating the corporate network through an undisclosed backdoor dubbed ‘LightlessCan’.
The hackers orchestrated their operation, named “Operation Dreamjob,” by engaging with their targets on LinkedIn and orchestrating a fictitious recruitment process that, at a certain stage, necessitated the victim to download a file.
The employee carried out this action using a company computer, inadvertently granting North Korean hackers access to the corporate network for cyber espionage purposes.
ESET conducted a thorough investigation of the incident, successfully reconstructing the initial breach and uncovering elements of the Lazarus team’s toolkit, notably an unreported backdoor, which they dubbed ‘LightlessCan’.
Lazarus Attack Chain
The Operation Dreamjob attack, meticulously reconstructed by ESET, initiated with a LinkedIn message from Lazarus, impersonating a Meta (Facebook) recruitment consultant by the name of Steve Dawson.
As the conversation progressed to more advanced stages, the victim was prompted to showcase their C++ programming skills by downloading quizzes packaged as executable files within ISO files.
Upon launching these executables, an extra payload concealed within the ISO images was discreetly transmitted to the victim’s system through DLL side-loading (mscoree.dll), facilitated by a legitimate application (PresentationHost.exe).
This payload is NickelLoader, a malicious malware loader, known to install two backdoors, namely a modified BlindingCan variant with limited functionality (miniBlindingCan) and LightlessCan.
The commands supported by miniBlindingCan encompass the following actions:
- Transmit system information, including computer name, Windows version, and code page.
- Adjust the communication interval based on values from the C2 server.
- Terminate the execution of a command.
- Dispatch a 9,392-byte configuration to the C2 server.
- Update the encrypted configuration on the filesystem, consisting of 9,392 bytes.
- Await the next incoming command.
- Update the communication interval as per the configuration.
- Retrieve and decrypt files from the C2 server.
- Execute provided shellcode.
The LightlessCan backdoor
According to ESET, LightlessCan represents an evolution from BlindingCan, evident in its source code, command set, and advanced coding structure.
The version detected during the attack on the Spanish Aerospace Agency is designated as 1.0, encompassing support for 43 commands. However, ESET’s analysis indicates an additional 25 commands within the code that remain unimplemented.
This malware mimics numerous Windows commands, including ping, ipconfig, netstat, mkdir, schtasks, systeminfo, and others, allowing it to execute these functions stealthily without arousing suspicion in real-time monitoring tools.
Given that these commands are proprietary, ESET suggests that the Lazarus team has either adeptly reverse-engineered the code or sought inspiration from open-source counterparts.
ESET has also uncovered an intriguing detail: one of the sampled LightlessCan payloads featured encryption that solely decrypts using a key contingent upon the specific target environment.
This encryption serves as an active protective measure, effectively thwarting external access attempts, such as those by insurance investigators or analysts, to the victim’s computer.
This revelation underscores the complexity of the Lazarus group’s Dreamjob operation, which extends beyond purely financial motivations, encompassing espionage objectives alongside cryptocurrency theft.
Furthermore, the emergence of the advanced payload, LightlessCan, represents a concerning development for organizations potentially in the crosshairs of the North Korean group.