Cryptocurrency Firms Warn: New Lazarus Malware Can Now Bypass Detection ScrgruppEn

North Korean hacking group Lazarus Group is using a new type of “sophisticated” malware as part of its fake recruitment scam – which researchers warn is much more difficult to detect than its predecessor.

According to In a September 29 post from Peter Kalnay, senior malware researcher at ESET, while analyzing a recent fake job attack against a Spain-based airline, ESET researchers discovered a publicly undocumented backdoor called LightlessCan.

#ESET The researchers revealed their findings regarding an attack by North Korea #suitable group #Lazarus Which targeted an airline in Spain.

Find out more in A #WeekinSecurity Video with @TonyAtESET. pic.twitter.com/M94J200VQx

– ESET (@ESET) September 29, 2023

The Lazarus Group fake job scam usually involves deceiving victims with a potential offer of employment at a well-known company. Attackers lure victims into downloading a malicious payload disguised as documents to cause all kinds of damage.

However, Kalnay says the new LightlessCan payload represents a “huge advance” over its predecessor, BlindingCan.

“LightlessCan emulates the functionality of a wide range of native Windows commands, enabling covert execution within the RAT itself rather than noisy console executions.”

“This approach offers a significant advantage in terms of stealth, whether in evading real-time surveillance solutions such as EDR records, or post-mortem digital forensic tools,” he said.

‍ Beware of fake recruiters on LinkedIn! Find out how Lazarus Group exploited a Spanish airline with a Trojan challenge. Dive into the details of their cyberespionage campaign in our latest news #WeLiveSecurity condition. #ESET #ProgressProtected

– ESET (@ESET) September 29, 2023

The new payload also uses what the researcher calls “execution guardrails” — ensuring that the payload can only be decrypted on the intended victim’s device, thus avoiding inadvertent decryption by security researchers.

One case involving the new malware came from an attack on a Spanish airline when an employee received a message from a fake recruiter named Steve Dawson in 2022, Kalnay said.

Soon after, the hackers sent two simple programming challenges embedded in the malware.

He added that cyber espionage was the main motive behind the Lazarus Group’s attack on the Spanish airline.

Related: 3 Steps Cryptocurrency Investors Can Take to Avoid Lazarus Group Hacks

Since 2016, North Korean hackers have stolen an estimated $3.5 billion from cryptocurrency projects, according to a September 14 report by blockchain forensics firm Chainalogy.

In September 2022, cybersecurity firm SentinelOne warned of a fake job scam on LinkedIn, offering potential victims a job at Crypto.com as part of a campaign dubbed “Operation Dream Job.”

At the same time, the United Nations is trying to curb North Korea’s cybercrime tactics at the international level – as they are now. Understood North Korea is using the stolen money to support its nuclear missile program.

magazine: $3.4 Billion Bitcoin in a Popcorn Jar: The Story of the Silk Road Pirates