Home / News / Crypto / News / North Korean Hacking Group Lazarus’ Stolen Crypto Billions Come From Sophisticated Malware
4 min read

North Korean Hacking Group Lazarus’ Stolen Crypto Billions Come From Sophisticated Malware

Published October 2, 2023 3:44 PM
Omar Elorfaly
Published October 2, 2023 3:44 PM

Key Takeaways

  • Hacking group Lazarus has been phishing employees of a Spanish aerospace company.
  • The attack comes as fake headhunting messages.
  • Researchers found a publicly undocumented backdoor named LightlessCan.

The Lazarus group, a North Korean hacking collective, has been linked to multiple attacks on governments and businesses causing the loss of millions of dollars in crypto and data.

Cyber security firm ESET uncovered the details of the attack linked to the North Korean hacker group, claiming it is part of an ongoing campaign by Lazarus, called Dreamjob.

Lazarus Strikes Again

ESET’s senior malware researcher Peter Kálnai wrote a post  detailing the specifics of the attack. 

The hackers used a fake job recruitment approach to contact employees of a Spanish aerospace company in an attempt to commit data espionage.

Lazarus uses the names of well-sought-out companies such as Meta to lure employees into a conversation, then prompting them to download malware while pretending employees are under test for potential employment.

ESET’s investigations led to the discovery of LightlessCan, a malware that acts stealthily by operating in the same manner as prompts on the Windows operating system.

“LightlessCan mimics the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions,” Kálnai said .

“This approach offers a significant advantage in terms of stealthiness, both in evading real-time monitoring solutions like EDRs, and post-mortem digital forensic tools.”

ESET researchers refer to LightlessCan as “execution guardrails” as they can only be decrypted on the victim’s own machine, avoiding accidental decryption by cyber security employees.

Kálnai used the example of one employee of a Spanish aerospace company employee who received LinkedIn messages from “Steve Dawson”, a fake recruiter from Meta back in 2022.

Message from a Lazarus hacker
Lazarus hacker pretends to be a recruiter from Meta

The Fight Against Lazarus

The US Federal Bureau of Investigation (FBI) has been keeping close tabs on activity by the North Korean hacker group which led to a bill under the name of the “CANSEE Act” which, among others, focuses on stifling the efforts by Lazarus.

However, Bill Hughes, a former Associate Deputy Attorney General and attorney at ConsenSys is not optimistic about the outcome of the bill nor the efforts against Lazarus.

Unless Lazarus magically disappears tomorrow, whether because they move on to hacking drones or AI, or because Kim Jong Un has a change of heart and drops the whole Communist Dystopia thing, then some legislation in the US that seeks to solve for a growing national security problem WILL probably, eventually get enough support to go through, Hughes. 

“And the risk that something squeaks through on a must-approve vehicle goes up as the status quo progresses.”

Was this Article helpful? Yes No