Lazarus Group Targets Spanish Aerospace Firm

Lazarus Group Targets Spanish Aerospace Firm

A cyber-espionage attack on an unnamed aerospace company in Spain has been linked to The Lazarus Group, a cyber-espionage group with ties to North Korea. In this event, the threat actors used LinkedIn to contact workers of the targeted company while posing as recruiters from Meta. According to a technical report provided with The Hacker News by ESET security researcher Peter Kálnai, these employees were tricked into launching a malicious executable file that was disguising itself as a coding challenge or quiz.

This attack is a component of the well-known spear-phishing effort Operation Dream Job, which was planned by the hacking organization to lure personnel at prospective strategic targets with alluring job prospects and start a chain of infection.

The Slovak cybersecurity company uncovered a separate hack in March that was directed at Linux users. In this attack, a backdoor called SimplexTea was distributed using fraudulent employment offers from HSBC.

However, the most recent intrusion targets Windows systems and seeks to install the LightlessCan implant. The release of the new payload, LightlessCan, is the component of this assault that worries security researcher Peter Kálnai of ESET the most. It is a sophisticated tool that is intricate and might change over time in both its operation and design. Compared to BLINDINGCAN, this provides a huge improvement in harmful capabilities.

The complex malware BLINDINGCAN, also referred to as AIRDRY or ZetaNile, is capable of stealing confidential data from infected systems.

The attack started when a bogus recruiter appearing as a Meta Platforms representative sent the target a message on LinkedIn. The victim was tricked into running test files with the names Quiz1.iso and Quiz2.iso that were stored on a third-party cloud storage system by the recruiter as part of a fictitious hiring process.

The system was inadvertently infiltrated and the corporate network breached when these ISO files, which include malicious binaries (Quiz1.exe and Quiz2.exe), were downloaded and launched on a device given by the company.

The exploit then made it possible for the attackers to download whatever program they wanted into the victim’s computer’s RAM by facilitating the usage of NickelLoader, an HTTP(S) downloader. This featured the distribution of the miniBlindingCan variant of BLINDINGCAN (also known as AIRDRY.V2) and the LightlessCan remote access trojan.

Read Also

Kylo is a tech geek who loves technology and spends time writing about it. He is also an avid gamer, completing his studies in Information technology. He is a co-founder of Reviewsed.