Lazarus Group Adds Linux Malware to Arsenal of Operation Dream Job
North Korea’s state-sponsored famous actor known as Lazarus Group has been associated with a new campaign aimed at Linux users.
The attack is part of an ongoing, long-running activity tracked by that name Operation Dream Jobsaid ESET in a new report published today.
This finding is significant, not least because it marks the first publicly documented example of an adversary using Linux malware as part of this social engineering scheme.
Operation Dream Job, also known as DeathNote or NukeSped, refers to several waves of attacks in which the group used fake job offers as bait to trick unsuspecting targets into downloading malware. It also shows overlap with two other Lazarus groups known as Operation In(ter)ception and Operation North Star.
The attack chain uncovered by ESET is no different in that it feeds fake HSBC job offers as bait in a ZIP archive file which is then used to launch a Linux backdoor called SimplexTea distributed via OpenDrive cloud storage accounts.
While the exact method used to distribute the ZIP files is unknown, it is suspected it was spear-phishing or direct messaging on LinkedIn. Backdoor, written in C++, is similar to BAD CALLSWindows trojan previously associated with the group.
Furthermore, ESET says it has identified similarities between the artefacts used in the Dream Job campaign and those excavated as part of supply chain attacks on VoIP software developer 3CX which was revealed last month.
Surviving Fraud: Advancing Zero Trust Security
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
It also includes the command-and-control (C2) domain “journalide(.)org,” which is listed as one of four C2 servers used by the malware family detected in the 3CX environment.
The indications are that preparations for a supply chain attack have been underway since December 2022, when several components were dumped into the GitHub code hosting platform.
These findings not only reinforce the existing relationship between the Lazarus Group and the 3CX compromise, but also demonstrate the continued success of threat actors with conducting supply chain attacks since 2020.