The North Korean-linked Lazarus threat group used an undocumented remote access trojan (RAT) as part of a LinkedIn-focused phishing attack on a Spanish aerospace company. Attackers claimed to represent Facebook parent company Meta, which also owns Instagram and WhatsApp.An employee at the targeted company was duped into downloading sophisticated malware onto a work computer by a member of the advanced persistent threat (APT) group.In a blog post detailing the incident, ESET senior malware researcher Peter Kálnai said the new RAT Lazarus dropped in the attack, which ESET calls LightlessCan, “represents a significant advancement in malicious capabilities compared to its predecessor, BlindingCan”.“LightlessCan mimics the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions,” Kálnai wrote in the post. The malware, he said, represents a shift "making detecting and analyzing the attacker’s activities more challenging.”The RAT's Windows functions include the ability to run Windows commands including Ping, IPConfig, SystemInfo, SC (communicates with the Windows Service Controller and installed services) and NET (a Windows command used to view and modify network settings). In earlier Lazarus attacks such native commands were often executed remotely after the gang had a foothold in the target’s system.“In this case, these commands are executed discreetly within the RAT itself, rather than being executed visibly in the system console,” Kálnai said. He said the technique can often outsmart real-time monitoring solutions such as EDRs (endpoint detection and response tools) and forensic tools.Since Windows’ core utilities are proprietary and not open-source, ESET speculated that in developing LightlessCan, Lazarus may have reverse-engineered the closed-source system binaries in order to add the additional functionality to the RAT.ESET the novel malware used execution guardrails which are intended to prevent the malware from being decrypted on any machine other than the one targeted by the threat group, making it hard for security researchers to analyze the malware code.Lazarus has been active since at least 2009 and has been responsible for numerous hacks, including a number of high-profile attacks such as the Sony hack in 2014 and WannaCry in 2017.





