Security News > 2023 > October > Lazarus impersonated Meta recruiter to breach Spanish aerospace firm

Operators of the North Korea-linked Lazarus APT obtained initial access to the network of an aerospace company in Spain last year after a successful spearphishing campaign, by masquerading as a recruiter for Meta - the company behind Facebook, Instagram, and WhatsApp.

The initial contact by the attacker impersonating a recruiter from Meta.

The fake recruiter contacted the victim via LinkedIn Messaging, a feature within the LinkedIn professional social networking platform, and sent two coding challenges supposedly required as part of a hiring process, which the victim downloaded and executed on a company device.

ESET research was able to reconstruct the initial access steps and analyze the tool set used by Lazarus thanks to cooperation with the affected aerospace company.

Lazarus disrupts analysis with LightlessCan RAT. Lazarus delivered various payloads to the victims' systems; the most notable is a previously publicly undocumented and sophisticated remote access trojan that we named LightlessCan.

Another mechanism used to minimize exposure is the employment of execution guardrails: Lazarus made sure the payload could be decrypted only on the intended victim's machine.

News URL

https://www.helpnetsecurity.com/2023/10/02/lazarus-lightlesscan/