Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
Contents
ESET researchers have uncovered a Lazarus attack against an aerospace company in Spain, where the group deployed several tools, most notably a publicly undocumented backdoor we named LightlessCan. Lazarus operators obtained initial access to the company’s network last year after a successful spearphishing campaign, masquerading as a recruiter for Meta – the company behind Facebook, Instagram, and WhatsApp.
The fake recruiter contacted the victim via LinkedIn Messaging, a feature within the LinkedIn professional social networking platform, and sent two coding challenges required as part of a hiring process, which the victim downloaded and executed on a company device. The first challenge is a very basic project that displays the text “Hello, World!”, the second one prints a Fibonacci sequence – a series of numbers in which each number is the sum of the two preceding ones. ESET Research was able to reconstruct the initial access steps and analyze the toolset used …
The fake recruiter contacted the victim via LinkedIn Messaging, a feature within the LinkedIn professional social networking platform, and sent two coding challenges required as part of a hiring process, which the victim downloaded and executed on a company device. The first challenge is a very basic project that displays the text “Hello, World!”, the second one prints a Fibonacci sequence – a series of numbers in which each number is the sum of the two preceding ones. ESET Research was able to reconstruct the initial access steps and analyze the toolset used …
IoC
0F33ECE7C32074520FBEA46314D7D5AB9265EC52
10BD3E6BA6A48D3F2E056C4F974D90549AED1B96
118.98.221.14
160.153.33.195
175.207.13.231
178.251.26.65
185.51.65.233
199.188.206.75
247C5F59CFFBAF099203F5BA3680F82A95C51E6E
3007DDA05CA8C7DE85CD169F3773D43B1A009318
38736CA46D7FC9B9E5C74D192EEC26F951E45752
46.105.57.169
50.192.28.29
669498484488D3F22712CC5BACA6B7A7
67.225.140.4
78.11.12.13
89.187.86.214
8CB37FA97E936F45FA8ECD7EB5CFB68545810A22
C136DD71F45EAEF3206BF5C03412195227D15F38
C273B244EA7DFF20B1D6B1C7FD97F343201984B3
C7C6027ABDCED3093288AB75FAB907C598E0237D
C830B895FB934291507E490280164CC4234929F0
E18B9743EC203AB49D3B57FED6DF5A99061F80E0
E61672B23DBD03FE3B97EE469FA0895ED1F9185D
EBD3EF268C71A0ED11AE103AA745F1D8A63DDF13
http://118.98.221.14
http://160.153.33.195
http://175.207.13.231
http://178.251.26.65
http://185.51.65.233
http://199.188.206.75
http://46.105.57.169
http://50.192.28.29
http://67.225.140.4
http://78.11.12.13
http://89.187.86.214
http://barsaji.com.mx
http://barsaji.com.mx/src/recaptcha/index.php
http://bug.restoroad.com
http://bug.restoroad.com/admin/view_status.php
http://hurricanepub.com
http://kapata-arkeologi.kemdikbud.go.id
http://kerstpakketten.horesca-meppel.nl
http://kittimasszazs.hu
http://mantis.quick.net.pl
http://mantis.quick.net.pl/library/securimage/index.php
http://nrfm.lk
http://turnscor.com
http://www.keewoom.co.kr
http://www.keewoom.co.kr/prod_img/201409/prod.php
http://www.radiographers.org
https://hurricanepub.com/include/include.php
https://kapata-arkeologi.kemdikbud.go.id/pages/payment/payment.php
https://kerstpakketten.horesca-meppel.nl/wp-content/plugins/woocommerce/lib.php
https://kittimasszazs.hu/images/virag.php
https://nrfm.lk/wp-includes/SimplePie/content.php
https://turnscor.com/wp-includes/contacts.php
https://www.radiographers.org/aboutus/aboutus.php
10BD3E6BA6A48D3F2E056C4F974D90549AED1B96
118.98.221.14
160.153.33.195
175.207.13.231
178.251.26.65
185.51.65.233
199.188.206.75
247C5F59CFFBAF099203F5BA3680F82A95C51E6E
3007DDA05CA8C7DE85CD169F3773D43B1A009318
38736CA46D7FC9B9E5C74D192EEC26F951E45752
46.105.57.169
50.192.28.29
669498484488D3F22712CC5BACA6B7A7
67.225.140.4
78.11.12.13
89.187.86.214
8CB37FA97E936F45FA8ECD7EB5CFB68545810A22
C136DD71F45EAEF3206BF5C03412195227D15F38
C273B244EA7DFF20B1D6B1C7FD97F343201984B3
C7C6027ABDCED3093288AB75FAB907C598E0237D
C830B895FB934291507E490280164CC4234929F0
E18B9743EC203AB49D3B57FED6DF5A99061F80E0
E61672B23DBD03FE3B97EE469FA0895ED1F9185D
EBD3EF268C71A0ED11AE103AA745F1D8A63DDF13
http://118.98.221.14
http://160.153.33.195
http://175.207.13.231
http://178.251.26.65
http://185.51.65.233
http://199.188.206.75
http://46.105.57.169
http://50.192.28.29
http://67.225.140.4
http://78.11.12.13
http://89.187.86.214
http://barsaji.com.mx
http://barsaji.com.mx/src/recaptcha/index.php
http://bug.restoroad.com
http://bug.restoroad.com/admin/view_status.php
http://hurricanepub.com
http://kapata-arkeologi.kemdikbud.go.id
http://kerstpakketten.horesca-meppel.nl
http://kittimasszazs.hu
http://mantis.quick.net.pl
http://mantis.quick.net.pl/library/securimage/index.php
http://nrfm.lk
http://turnscor.com
http://www.keewoom.co.kr
http://www.keewoom.co.kr/prod_img/201409/prod.php
http://www.radiographers.org
https://hurricanepub.com/include/include.php
https://kapata-arkeologi.kemdikbud.go.id/pages/payment/payment.php
https://kerstpakketten.horesca-meppel.nl/wp-content/plugins/woocommerce/lib.php
https://kittimasszazs.hu/images/virag.php
https://nrfm.lk/wp-includes/SimplePie/content.php
https://turnscor.com/wp-includes/contacts.php
https://www.radiographers.org/aboutus/aboutus.php