LightlessCan malware


The LightlessCan backdoor: ESET says LightlessCan is a successor to BlindingCan, based on source code and command ordering similarities, featuring a more sophisticated code structure, different indexing, and enhanced functionality.

The malware replicates many native Windows commands like ping, ipconfig, netstant, mkdir, schstasks, systeminfo, etc., so it can execute them without appearing in the system console for better stealthiness against real-time monitoring tools. Since those commands are closed-source, ESET comments that Lazarus has either managed to reverse engineer the code or drew inspiration from the open-source versions. Another interesting aspect reported by ESET is that one of the LightlessCan payloads they sampled was encrypted and could only be decrypted using a key dependent on the target's environment.

This is an active protection measure to prevent outside access to the victim's computer, for example, by security researchers or analysts.

This discovery underscores that Lazarus' Operation Dreamjob is not solely driven by financial objectives, such as cryptocurrency theft, but also encompasses espionage goals.

Incidents Caused by this Malware

Threat Actors Known to use this Malware

No threat actors identified