Lazarus Hackers Now Push Linux Malware via Fake Job Offers
Summary:
Researchers have uncovered a fresh Lazarus campaign, known as “Operation DreamJob”, that has set its sights on Linux users with malware. This marks the first time Linux users have been targeted by this campaign. Researchers noted that this discovery has given them a high level confidence that Lazarus was responsible for the recent supply-chain attack on VoIP provider 3CX. Multiple companies were compromised in March 2023 when they used a trojanized version of the 3CX client, which contained information-stealing trojans.
Operation Dream Job targets individuals working in software or DeFI platforms. This operation relies on social engineering tactics, such as offering fake job opportunities on LinkedIn and other social media and communication platforms, to entice victims into downloading malicious files disguised as job offer documents. Unfortunately, these files actually contain malware that infects the victim’s computer. In one instance, ESET researchers discovered that Lazarus distributed a ZIP archive titled "HSBC job offer[.]pdf[.]zip" through spear phishing or direct messages on LinkedIn. This archive contained a Linux binary coded in Go and disguised with Unicode character to resemble a PDF file.
ESET researchers have pointed out that the file extension of the malicious file is not .pdf, which is an interesting observation. The reason for this is that the dot character in the filename is actually a leader dot, represented by the U+2024 unicode character. The use of this character in the file name was likely an attempt by the attacker to deceive the file manager into treating the file as an executable. “When the recipient double-clicks on the file to launch it, the malware, known as "OdicLoader," displays a decoy PDF while simultaneously downloading a second-stage malware payload from a private repository hosted on the OpenDrive cloud service. The second-stage payload is a C++ backdoor called "SimplexTea," which is dropped at "~/.config/guiconfigd. SimplexTea." OdicLoader also modifies the user's ~/.bash_profile to ensure that SimplexTea is launched with Bash and its output is muted whenever the user starts a new shell session” (Bleeping Computer, 2023).
Analyst comments:
ESET’s analysis of SimplexTea has revealed that it shares similarities in functionality, encryption techniques, and hardcoded infrastructure with Lazarus’ Windows malware called “BadCall”, as well as the macOS variant known as “SimpleSea”. Additionally, ESET discovered an earlier variant of SimplexTea, named “sysnetd”, on VirusTotal. This variant is similar to the mentioned backdoors but written in C and loads its configuration from a file used by the VMware Guest Authentication service. This indicates that the targeted system may be a Linux VMware virtual machine. Further investigation by ESET analyst revealed that the sysnetd backdoor uses an XOR key previously used by SimpleSea malware, which was uncovered during the 3CX investigation. The same XOR key was used in windows malware in 2014, which was involved in the cyber sabotage of Sony Pictures Entertainment. Although the XOR key between SimplexTEA and SimpleSea payloads differs, the configuration file uses the same name “apdl[.]cf”. These finding demonstrate that Lazarus has expanded its tactics to include Linux malware and can now target all major operating systems, including Windows and macOS.
Mitigation:
ESET has published IOCs associated with the malware, which can be used for detection purposes:
Source: