Lazarus Group Adds Linux Malware To Arsenal In Operation Dream Job
A new effort targeting Linux users has been traced back to the notorious North Korean-aligned state-sponsored actor known as the Lazarus Group.
According to ESET’s latest research, “Operation Dream Job,” the attacks are part of a continuous and protracted campaign.
ALSO, READ Researchers Uncover Stealthy Techniques Used By Cranefly Espionage Hackers
These results are significant for a number of reasons, not least of which is that they represent the first publicly reported instance of the adversary employing Linux malware in this social engineering campaign.
Operation Dream Job, also known as DeathNote or NukeSped, refers to multiple attack waves wherein the group leverages fraudulent job offers as a lure to trick unsuspecting targets into downloading malware. It also exhibits overlaps with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star.
Lazarus Group Adds Linux Malware To Arsenal In Operation Dream Job
The attack chain discovered by ESET is no different in that it delivers a fake HSBC job offer as a decoy within a ZIP archive file that’s then used to launch a Linux backdoor named SimplexTea distributed via an OpenDrive cloud storage account.
While the exact method used to distribute the ZIP file is not known, it’s suspected to be either spear-phishing or direct messages on LinkedIn. The backdoor, written in C++, bears similarities to BADCALL, a Windows trojan previously attributed to the group.
ALSO, READ Researchers Expose Over 80 ShadowPad Malware C2 Servers
Furthermore, ESET said it identified commonalities between artifacts used in the Dream Job campaign and those unearthed as part of the supply chain attack on VoIP software developer 3CX that came to light last month.
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!
This also includes the command-and-control (C2) domain “journalide[.]org,” which was listed as one of the four C2 servers used by malware families detected within the 3CX environment.
ALSO, READ Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware
Lazarus Group Adds Linux Malware To Arsenal In Operation Dream Job
Indications are that preparations for the supply chain attack had been underway since December 2022, when some of the components were committed to the GitHub code-hosting platform.
The findings not only strengthen the existing link between Lazarus Group and the 3CX compromise, but also demonstrates the threat actor’s continued success with staging supply chain attacks since 2020.
Be First to Comment