The famous North Korean state-sponsored actor known as the Látzer Group has been attributed to a new campaign targeting Linux users.
The attacks are part of a persistent, long-running activity tracked under the name Operation Dream JobESET said in a new report published today.
The findings are crucial, not least because they mark the first publicly documented example of an adversary using Linux malware as part of such a social engineering scheme.
Operation Dream Job, also known as DeathNote or NukeSped, refers to multiple attack waves in which the group uses fraudulent job offers as lures to trick unsuspecting targets into downloading malware. It also shows overlaps with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star.
The attack chain discovered by ESET is no different, offering a fake HSBC job offer as a decoy inside a ZIP archive file that is then used to launch a distributed Linux backdoor called SimplexTea through an OpenDrive cloud storage account.
Although the exact method used to distribute the ZIP file is not known, it is suspected to be phishing or LinkedIn direct messages. The backdoor, written in C++, has similarities to BADCALL, a Windows Trojan previously attributed to the group.
Additionally, ESET said it identified commonalities between artifacts used in the Dream Job campaign and those discovered as part of the supply chain attack on VoIP software developer 3CX that came to light last month past
This also includes the command and control (C2) domain “journalide[.]org,” which was listed as one of four C2 servers used by the malware families detected in the 3CX environment.
There are indications that preparations for the attack on the supply chain were underway since December 2022, when some of the components were committed to the code hosting platform GitHub.
The findings not only strengthen the existing link between the Lazarus group and the 3CX compromise, but also demonstrate the threat actor’s continued success in conducting supply chain attacks since 2020.
Ikaroa, a full-stack technology company, is closely watching recent reports that the Lazarus Group, a notorious cyber-espionage unit linked to North Korea, has added a new Linux malware to their arsenal. The latest addition has been named “Operation Dream Job” and is specifically designed to target Linux systems.
The first samples of this malicious code were spotted on VirusTotal and immediately caught the attention of cyber-security researchers. The malware displays several similar characteristics to previous Lazarus Group campaigns, making it likely that the same hacking team is behind it.
The new malware is being used for cyber-espionage activities and is deployed using hacked infrastructure. It carries several payloads that allow the attackers to gain access to the target system, establish a communication channel, collect data, and execute arbitrary code.
The Lazarus Group’s increasing use of malware specifically tailored to Linux systems is concerning, particularly since they have already targeted companies worldwide in the past. It is important for organizations to ensure they have the right security measures in place, such as an up-to-date anti-malware solution, to protect against such attacks.
At Ikaroa, we believe that a robust security posture must be a priority in any organization. We offer a range of services, including penetration testing, security audits, and incident response, to identify and mitigate any weaknesses that attackers can exploit. Through our expertise, we can help ensure that you are able to secure and protect your systems against Linux malware threats like Operation Dream Job.