SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lightlesscan (Back to overview)

LightlessCan

Actor(s): Lazarus Group

VTCollection    

LightlessCan is a complex HTTP(S) RAT, that is a successor of the Lazarus RAT named BlindingCan.

In Q2 2022 and Q1 2023, it was deployed in targeted attacks against an aerospace company in Spain and a technology company in India.

Besides the support for commands already present in BlindingCan, its most significant update is mimicked functionality of many native Windows commands:
• ipconfig
• net
• netsh advfirewall firewall
• netstat
• reg
• sc
• ping (for both IPv4 and IPv6 protocols)
• wmic process call create
• nslookup
• schstasks
• systeminfo
• arp

These native commands are often abused by the attackers after they have gotten a foothold in the target’s system. Lightless is able to execute them discreetly within the RAT itself, rather than being executed visibly in the system console. This provides stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools.

LightlessCan use RC6 for decryption of its configuration, and also for encryption and decryption of network traffic.

References
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2023-09-29ESET ResearchPeter Kálnai
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CLOUDBURST LightlessCan miniBlindingCan sRDI
Yara Rules
[TLP:WHITE] win_lightlesscan_auto (20230808 | Detects win.lightlesscan.)
rule win_lightlesscan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.lightlesscan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightlesscan"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 33db 48895c2460 488b4d70 4885c9 7405 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   33db                 | mov                 dword ptr [esp + 0x60], edi
            //   48895c2460           | dec                 eax
            //   488b4d70             | mov                 eax, dword ptr [esp + 0x58]
            //   4885c9               | dec                 eax
            //   7405                 | lea                 eax, [esp + 0x78]
            //   e8????????           |                     

        $sequence_1 = { b890100000 e8???????? 482be0 48c7442458feffffff 48899c24c8100000 4889b424d0100000 4889bc24d8100000 }
            // n = 7, score = 100
            //   b890100000           | dec                 eax
            //   e8????????           |                     
            //   482be0               | lea                 edx, [0x36eb0]
            //   48c7442458feffffff     | inc    ecx
            //   48899c24c8100000     | add                 esi, esi
            //   4889b424d0100000     | inc                 ecx
            //   4889bc24d8100000     | mov                 edx, esp

        $sequence_2 = { 4863d8 e8???????? 488bd3 b940000000 ffd0 488d0deaa20300 c705????????01000000 }
            // n = 7, score = 100
            //   4863d8               | mov                 ebp, dword ptr [esp + 0xac0]
            //   e8????????           |                     
            //   488bd3               | dec                 eax
            //   b940000000           | mov                 ecx, dword ptr [ebp + 0x9b0]
            //   ffd0                 | dec                 eax
            //   488d0deaa20300       | xor                 ecx, esp
            //   c705????????01000000     |     

        $sequence_3 = { 488d0d50c00100 e8???????? 4983c8ff ba80000000 488905???????? 488d0da05d0500 4885c0 }
            // n = 7, score = 100
            //   488d0d50c00100       | test                esi, esi
            //   e8????????           |                     
            //   4983c8ff             | je                  0x1188
            //   ba80000000           | dec                 eax
            //   488905????????       |                     
            //   488d0da05d0500       | dec                 eax
            //   4885c0               | jne                 0x10e1

        $sequence_4 = { 4881c440020000 5b f3c3 8815???????? 0100 a9150100c7 150100d615 }
            // n = 7, score = 100
            //   4881c440020000       | push                edi
            //   5b                   | dec                 eax
            //   f3c3                 | sub                 esp, 0x88
            //   8815????????         |                     
            //   0100                 | dec                 eax
            //   a9150100c7           | mov                 dword ptr [eax - 0x18], ebx
            //   150100d615           | dec                 eax

        $sequence_5 = { 498bcc e8???????? 488d1564b70500 41b804000000 498bcc e8???????? 488d1567b70500 }
            // n = 7, score = 100
            //   498bcc               | dec                 esp
            //   e8????????           |                     
            //   488d1564b70500       | lea                 eax, [ebp - 0x20]
            //   41b804000000         | mov                 edx, ebx
            //   498bcc               | dec                 ecx
            //   e8????????           |                     
            //   488d1567b70500       | mov                 ecx, ebp

        $sequence_6 = { 4889442420 e8???????? eb0c 4c8d0d68440100 e8???????? 488d0d8cc10100 }
            // n = 6, score = 100
            //   4889442420           | mov                 dword ptr [esp + 0x20], edi
            //   e8????????           |                     
            //   eb0c                 | call                edi
            //   4c8d0d68440100       | test                eax, eax
            //   e8????????           |                     
            //   488d0d8cc10100       | jne                 0x623

        $sequence_7 = { 488d0d23b40600 ffd0 48833d????????00 7415 488d0db04a0300 e8???????? 488b0d???????? }
            // n = 7, score = 100
            //   488d0d23b40600       | je                  0x4e2
            //   ffd0                 | dec                 eax
            //   48833d????????00     |                     
            //   7415                 | lea                 ecx, [0x37d39]
            //   488d0db04a0300       | dec                 eax
            //   e8????????           |                     
            //   488b0d????????       |                     

        $sequence_8 = { 7506 ff15???????? 4489bc24f8000000 488b07 418bf7 0fb74814 }
            // n = 6, score = 100
            //   7506                 | lea                 eax, [0x5e6c3]
            //   ff15????????         |                     
            //   4489bc24f8000000     | mov                 edx, 0x80
            //   488b07               | jmp                 0xc1a
            //   418bf7               | dec                 esp
            //   0fb74814             | lea                 eax, [0x5c2e7]

        $sequence_9 = { 488d4d30 33d2 41b801100000 e8???????? 33d2 41b8faff0000 488bce }
            // n = 7, score = 100
            //   488d4d30             | mov                 dword ptr [ebp - 0x31], esp
            //   33d2                 | dec                 esp
            //   41b801100000         | mov                 dword ptr [ebp - 0x11], esp
            //   e8????????           |                     
            //   33d2                 | add                 edi, eax
            //   41b8faff0000         | inc                 esp
            //   488bce               | mov                 dword ptr [ebp - 0x39], esp

    condition:
        7 of them and filesize < 1399808
}
Download all Yara Rules