Lazarus impersonated Meta recruiter to breach Spanish aerospace firm

Operators of the North Korea-linked Lazarus APT obtained initial access to the network of an aerospace company in Spain last year after a successful spearphishing campaign, by masquerading as a recruiter for Meta — the company behind Facebook, Instagram, and WhatsApp.

The final goal of the attack was cyberespionage.

The initial contact by the attacker impersonating a recruiter from Meta (source: ESET)

The fake recruiter contacted the victim via LinkedIn Messaging, a feature within the LinkedIn professional social networking platform, and sent two coding challenges supposedly required as part of a hiring process, which the victim downloaded and executed on a company device.

ESET research was able to reconstruct the initial access steps and analyze the tool set used by Lazarus thanks to cooperation with the affected aerospace company. The group targeted multiple company employees.

“The most worrying aspect of the attack is the new type of payload, LightlessCan, a complex and possibly evolving tool that exhibits a high level of sophistication in its design and operation, and represents a significant advancement in malicious capabilities compared to its predecessor, BlindingCan,” explains ESET researcher Peter Kálnai, who made the discovery.

Lazarus disrupts analysis with LightlessCan RAT

Lazarus delivered various payloads to the victims’ systems; the most notable is a previously publicly undocumented and sophisticated remote access trojan (RAT) that we named LightlessCan. The trojan mimics the functionalities of a wide range of native Windows commands, usually abused by the attackers enabling discreet execution within the RAT itself instead of noisy console executions. This strategic shift enhances stealth, making detecting and analyzing the attacker’s activities more challenging.

Another mechanism used to minimize exposure is the employment of execution guardrails: Lazarus made sure the payload could be decrypted only on the intended victim’s machine. Execution guardrails are a set of protective protocols and mechanisms implemented to safeguard the integrity and confidentiality of the payload during its deployment and execution, effectively preventing decryption on unintended machines, such as those of security researchers.

LightlessCan has support for up to 68 distinct commands, but in the current version, 1.0, only 43 of those commands are implemented with some functionality. ESET research has identified four different execution chains, delivering three types of payloads.

Aerospace companies are not an unusual target for North Korea-aligned APT groups. The country has conducted multiple advanced missile tests that violate United Nations Security Council resolutions.