Beware of the Job Offer: The Lazarus Group’s Operation Dream Job

The North Korea-linked Lazarus Group has returned with a twist on LinkedIn recruitment scams, targeting an aerospace company in Spain. The attack, part of the campaign known as Operation Dream Job, lured victims with enticing job offers only to deliver a complex payload named LightlessCan.

Hot Take:

Well folks, the Lazarus Group is at it again, this time putting a new spin on the classic LinkedIn recruitment scam. The North Korea-linked hacker crew has been up to its old tricks, targeting an aerospace company in Spain by posing as a recruiter for Meta. Note to self: If a recruiter approaches you with a coding challenge that downloads a suspicious file, it might not be your dream job. Instead, it could be the start of Operation Dream Job, a spear-phishing campaign with a payload that’s more nightmare than dream.

Key Points:

  • The Lazarus Group, a North Korea-linked hacker group, targeted an aerospace company in Spain through a spear-phishing LinkedIn recruitment scam.
  • The attack is part of a campaign known as Operation Dream Job, which uses the lure of lucrative job opportunities to entice victims into activating an infection chain.
  • The attackers used a complex payload named LightlessCan, which exhibits a high level of sophistication in its design and operation.
  • The attack began with a fake LinkedIn message from a supposed Meta recruiter, who sent coding challenges that downloaded malicious files.
  • Once these files were executed, it led to the self-compromise of the targeted system.

Need to know more?

No Dream Job Here

The Lazarus Group seems to have taken inspiration from the classic bait-and-switch trick. Employees of the targeted company were contacted with job offers that seemed almost too good to be true. And, as it turns out, they were. Instead of a promising career opportunity, the reward for their interest was a malicious executable file. Talk about a tough interview process!

Upgrade to First Class Malware

Not content with run-of-the-mill malware, the Lazarus Group upped their game with the introduction of a new payload, LightlessCan. This is no simple bug; it's a complex tool that exhibits a high level of sophistication. It's like they upgraded from a bicycle to a sports car overnight!

A LinkedIn Encounter to Regret

The attack began with a LinkedIn message from a supposed Meta recruiter. After sending two coding challenges, the recruiter convinced the victim to execute the test files, leading to the compromise of the system. It's the digital equivalent of inviting a vampire into your house - once you let them in, it's hard to get them out!

Stealthy Execution

The LightlessCan payload mimics a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions. This makes detecting and analyzing the attacker's activities more challenging. It's like a ninja sneaking into your computer, silently executing commands while you're none the wiser.

Guardrails: More than just a safety measure

A noteworthy trait of this campaign is the use of execution guardrails to prevent the payloads from being decrypted and run on any machine other than that of the intended victim's. It's the digital equivalent of a custom-made suit - it only fits the intended recipient, making it all the more dangerous.
Tags: BLINDINGCAN, Cyber Espionage, Lazarus Group, LightlessCan, LinkedIn Attacks, Operation Dream Job, Spear-phishing