Lazarus tricks employees with trojanized coding challenges | spcilvly

The Lazarus group was recently discovered to have targeted an aerospace company in Spain, which involved the deployment of several tools, including an undocumented backdoor called “LightlessCan.”

Reports indicate that the threat actor gained access to the organization’s network last year through a phishing campaign impersonating a Meta recruiter.

The threat group contacted one of the victims within the organization through the social network LinkedIn, posing as a Meta recruiter. The threat actor then sent two coding challenges and a PDF with a job description, which was malware, resulting in the execution of the malicious payload.

Scammer contacting through Linkedin
Scammer contacting through Linkedin (Source: ESET)

Lazarus Coding Challenges

The victim received two malicious executables, Quiz1.exe and Quiz2.exe, embedded within two ISO images, Quiz1.iso and Quiz2.iso. The victim was tasked with rewriting the code in the C++ programming language.

Quiz2.exe Fibonacci Program
Quiz2.exe Fibonacci Program (Source: ESET)

The two executables were a simple Hello World program and a Fibonacci program. However, the executables were much more than what they printed on the console.

Both executables trigger the installation of additional payloads within the ISO images. The first payload to be delivered was called “NickelLoader,” which allows the threat actor to deploy any program into system memory. Followed by other additional payloads that are used by the threat actor for various purposes.

LightlessCan – New tailgate

One of the most interesting payloads used was LightlessCan, which turned out to be the successor to the Lazarus RAT BlindingCan. LightlessCab supports 68 different commands, of which 43 lack their original functionality.

It can be confirmed that LightlessCan is derived from BlindingCan because the order of commands shared between LightlessCan and BlindingCan has no significant changes.

One of the most important updates of this new backdoor is the imitation of native Windows commands such as ping, ipconfig, systeminfo, sc, net, etc.

ESET has published a full report on this compromise and other detailed information, providing additional information on the source code, payload, payload exploitation chain, how to compromise the system and other information.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the Free Trial to guarantee 100% security.

Leave a Reply

Your email address will not be published. Required fields are marked *