ESET cybersecurity researchers recently uncovered a new malware campaign by North Korean hackers Lazarus Group that is believed to be part of a DreamJob operation, this time targeting Linux users.
The last wave of Lazarus malicious activity targeting Windows computers was recorded in March of this year. In its course, several companies were compromised, to which hackers sent a Trojan version of the 3CX client to steal information.
Mandiant has published the final results of its investigation into the 3CX hack, once again linking the attack to North Korean attackers. The report says that the 3CX development environment was compromised after one of the employees installed software from Trading Technologies, the installer of which was infected with a trojan.
Operation DreamJob, also known as Nukesped, is an ongoing malicious activity that targets people running DeFi software or platforms. Attacks begin through fake job offers on LinkedIn and other communication platforms.
Using social engineering, hackers try to trick victims into downloading malicious files disguised as documents containing information about a job offer. However, in reality, these documents only download malware to the target computer.
In a case discovered by ESET, Lazarus attackers distributed a ZIP archive with a clickbait title about a job offer at a particular organization. The archive was delivered via spear phishing or direct messages on LinkedIn. Hidden inside the archive was a Linux binary written in Go. According to experts, the hackers "conjured" a bit with the name of the binary file to make it look like a PDF.
“Interestingly, the file extension is not actually ".pdf". This is because the visible dot in the filename is a single-dot dotted line, represented by the Unicode character U+2024. The use of a single dot dash in the filename was probably an attempt to trick the file manager into treating the file as an executable and not a PDF. This may cause the file to be launched when double-clicked instead of opening it in a PDF viewer,” explains ESET.
In other words, when the recipient double-clicks on the file to open a seemingly normal PDF document, the malware known as "OdicLoader" is launched instead, but of course a dummy PDF file is displayed on top. When the next stage payload is loaded in the background from the attacker's repository hosted in the OpenDrive cloud service.
The second stage payload is a C++ backdoor called "SimplexTea". After analyzing this backdoor, ESET experts determined that it is very similar in functionality, encryption methods and hard-coded infrastructure to another malware also used by Lazarus called "BadCall" (for Windows), as well as a variant for macOS called "Simple Sea".
Lazarus' move to Linux malware illustrates the ever-evolving hacker strategy that now covers all major operating systems.
The DreamJob operation has already led to a huge success for the Lazarus attackers, allowing them to steal $620 million from Axie Infinity. The FBI has also confirmed that Lazarus is behind the $100 million cryptocurrency theft from the Harmony Bridge platform.
The recent Lazarus attack on the 3CX supply chain marks another resounding success for the North Korean cybercriminals who are terrifying the global cyber community.