Lazarus Group’s LightlessCan Malware Raises Stakes in Fake Employment Scams

The Lazarus Group, a North Korean hacking collective, has been using a new, sophisticated malware known as LightlessCan in its fake employment scams. This malware is more challenging to detect compared to its predecessor, BlindingCan. The Lazarus Group typically tricks victims with fake job offers from well-known companies and encourages them to download malicious payloads disguised as documents.

LightlessCan is considered a significant advancement because it mimics the functionalities of various native Windows commands, allowing for discreet execution within the Remote Access Trojan (RAT) itself rather than noisy console executions. This approach enhances stealthiness, making it harder to detect by real-time monitoring solutions like Endpoint Detection and Response (EDR) systems and postmortem digital forensic tools.

Additionally, LightlessCan uses “execution guardrails” to ensure that the payload can only be decrypted on the intended victim’s machine, preventing unintended decryption by security researchers.

One known case involving this new malware occurred during an attack on a Spanish aerospace firm, where an employee received a message from a fake Meta recruiter named Steve Dawson. The hackers sent coding challenges embedded with the malware as part of their cyberespionage efforts.

North Korean hackers, including the Lazarus Group, have been involved in numerous cybercrimes, including stealing an estimated $3.5 billion from cryptocurrency projects since 2016. These ill-gotten funds are believed to support North Korea’s nuclear missile program. Efforts to curtail North Korea’s cybercrime activities have been ongoing at the international level, with the United Nations taking steps to address this issue.