Tuesday, October 15, 2024
Homecyber securityLazarus Tricking Employees with Trojanized Coding Challenges

Lazarus Tricking Employees with Trojanized Coding Challenges

Published on

Malware protection

Lazarus group has been recently discovered to have targeted an Aerospace company in Spain, which involved deploying several tools, including an undocumented backdoor named “LightlessCan.”

Reports indicate that the threat actor gained access to the organization’s network last year using a spearphishing campaign impersonating a recruiter from Meta.

The threat group contacted one of the victims inside the organization via LinkedIn social networking, posing as a recruiter from Meta. The threat actor then sent two coding challenges and a job description PDF, which was malware, resulting in the execution of the malicious payload.

- Advertisement - SIEM as a Service
Scammer contacting via Linkedin
Scammer contacting via Linkedin (Source: ESET)

Lazarus Coding Challenges

The victim was provided with two malicious executables, Quiz1.exe and Quiz2.exe, embedded inside two ISO images, Quiz1.iso and Quiz2.iso. The victim was tasked with rewriting the code in C++ programming language.

Fibonacci program from Quiz2.exe
Fibonacci program from Quiz2.exe (Source: ESET)

The two executables were a simple Hello World program and a Fibonacci program. However, the executables were much more than they printed on the console.

Both executables trigger the installation of additional payloads inside the ISO images. The first payload that was delivered was named “NickelLoader” which enables the threat actor to deploy any program on the system’s memory. Followed by other additional payloads which are used by the threat actor for various purposes.

LightlessCan – New Backdoor

One of the most interesting payloads used was the LightlessCan, which was found to be the successor of the Lazarus RAT BlindingCan. LightlessCab supports 68 distinct commands, of which 43 lack their original functionality.

LightlessCan can be confirmed to have been derived from BlindingCan because the order of the shared commands between LightlessCan and BlindingCan has no significant changes.

One of the most important updates on this new backdoor is mimicking Windows Native commands like ping, ipconfig, systeminfo, sc, net, etc.

ESET has published a complete report about this compromise and other detailed information, providing additional information about the source code, payload, exploit chain of the payload, compromising the system, and other information.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HORUS Protector Delivering AgentTesla, Remcos, Snake, NjRat Malware

The Horus Protector crypter is being used to distribute various malware families, including AgentTesla,...

ErrorFather Hackers Attacking & Control Android Device Remotely

The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to...

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...