The Lazarus Group, a notorious hacking group with links to North Korea, has been implicated in a cyber espionage attack targeting an aerospace company in Spain. In this complex operation, the threat actors impersonated recruiters from Meta Platforms on LinkedIn to approach employees of the targeted company.
These employees were deceived into opening malicious executable files, masquerading as coding challenges or quizzes. ESET security researcher Peter Kálnai revealed that this attack is part of a broader spear-phishing campaign called Operation Dream Job, aimed at enticing employees with lucrative job opportunities to initiate the infection chain.
This particular attack involves the deployment of a new and highly sophisticated payload called LightlessCan on Windows systems. According to Kálnai, LightlessCan represents a significant advancement in malicious capabilities compared to its predecessor, BLINDINGCAN. BLINDINGCAN, also known as AIRDRY or ZetaNile, is a feature-rich malware designed for harvesting sensitive information from compromised hosts.
In this campaign, victims received LinkedIn messages from the fake recruiter, who then sent coding challenges as part of the hiring process. The victims executed malicious files (Quiz1.exe and Quiz2.exe) contained within ISO files, leading to the compromise of their devices and the corporate network.
The attack also involves the use of an HTTP(S) downloader called NickelLoader, allowing the attackers to deploy various programs into the victim’s computer’s memory, including LightlessCan and a variant of BLINDINGCAN known as miniBlindingCan (aka AIRDRY.V2).
LightlessCan boasts support for up to 68 distinct commands, further emphasizing the group’s sophistication. A notable aspect of this campaign is the use of execution guardrails to prevent payloads from running on unintended machines, enhancing stealthiness and making detection more challenging.