BTC $56051.8376
ETH $3218.1633
BNB $396.4199
SOL $110.7149
XRP $0.5519
ADA $0.6156
AVAX $39.1198
DOGE $0.0917
TRX $0.1407
wstETH $3728.9977
LINK $19.0128
DOT $8.0469
WETH $3193.8813
MATIC $1.0418
UNI $10.7764
WBTC $55911.0276
IMX $3.3222
ICP $12.9221
BCH $297.7215
LTC $75.3171
CAKE $3.2025
FIL $8.1465
ETC $28.0611
RNDR $7.5168
KAS $0.1715
DAI $1.0043
HBAR $0.1103
ATOM $11.0992
VET $0.0490
INJ $36.1781
TON $2.1807
OKB $51.3647
STX $3.1226
LDO $3.5279
FDUSD $0.9998
XMR $138.2001
TIA $17.3425
ARB $1.9103
NEAR $3.9893
XLM $0.1190
GRT $0.2848
ENS $22.1628
THETA $2.1616
WEMIX $2.1065
APEX $2.4652
MKR $2118.4103
BEAM $0.0360
BTC $56051.8376
ETH $3218.1633
BNB $396.4199
SOL $110.7149
XRP $0.5519
ADA $0.6156
AVAX $39.1198
DOGE $0.0917
TRX $0.1407
wstETH $3728.9977
LINK $19.0128
DOT $8.0469
WETH $3193.8813
MATIC $1.0418
UNI $10.7764
WBTC $55911.0276
IMX $3.3222
ICP $12.9221
BCH $297.7215
LTC $75.3171
CAKE $3.2025
FIL $8.1465
ETC $28.0611
RNDR $7.5168
KAS $0.1715
DAI $1.0043
HBAR $0.1103
ATOM $11.0992
VET $0.0490
INJ $36.1781
TON $2.1807
OKB $51.3647
STX $3.1226
LDO $3.5279
FDUSD $0.9998
XMR $138.2001
TIA $17.3425
ARB $1.9103
NEAR $3.9893
XLM $0.1190
GRT $0.2848
ENS $22.1628
THETA $2.1616
WEMIX $2.1065
APEX $2.4652
MKR $2118.4103
BEAM $0.0360
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Lazarus Group expands DreamJob campaign to Linux users

    ESET cybersecurity researchers recently uncovered a new malware campaign by North Korean hackers Lazarus Group that is believed to be part of a DreamJob operation, this time targeting Linux users.

    The last wave of Lazarus malicious activity targeting Windows computers was recorded in March of this year. In its course, several companies were compromised, to which hackers sent a Trojan version of the 3CX client to steal information.

    Mandiant has published the final results of its investigation into the 3CX hack, once again linking the attack to North Korean attackers. The report says that the 3CX development environment was compromised after one of the employees installed software from Trading Technologies, the installer of which was infected with a trojan.

    Operation DreamJob, also known as Nukesped, is an ongoing malicious activity that targets people running DeFi software or platforms. Attacks begin through fake job offers on LinkedIn and other communication platforms.

    Using social engineering, hackers try to trick victims into downloading malicious files disguised as documents containing information about a job offer. However, in reality, these documents only download malware to the target computer.

    In a case discovered by ESET, Lazarus attackers distributed a ZIP archive with a clickbait title about a job offer at a particular organization. The archive was delivered via spear phishing or direct messages on LinkedIn. Hidden inside the archive was a Linux binary written in Go. According to experts, the hackers "conjured" a bit with the name of the binary file to make it look like a PDF.

    “Interestingly, the file extension is not actually ".pdf". This is because the visible dot in the filename is a single-dot dotted line, represented by the Unicode character U+2024. The use of a single dot dash in the filename was probably an attempt to trick the file manager into treating the file as an executable and not a PDF. This may cause the file to be launched when double-clicked instead of opening it in a PDF viewer,” explains ESET.

    In other words, when the recipient double-clicks on the file to open a seemingly normal PDF document, the malware known as "OdicLoader" is launched instead, but of course a dummy PDF file is displayed on top. When the next stage payload is loaded in the background from the attacker's repository hosted in the OpenDrive cloud service.

    The second stage payload is a C++ backdoor called "SimplexTea". After analyzing this backdoor, ESET experts determined that it is very similar in functionality, encryption methods and hard-coded infrastructure to another malware also used by Lazarus called "BadCall" (for Windows), as well as a variant for macOS called "Simple Sea".

    Lazarus' move to Linux malware illustrates the ever-evolving hacker strategy that now covers all major operating systems.

    The DreamJob operation has already led to a huge success for the Lazarus attackers, allowing them to steal $620 million from Axie Infinity. The FBI has also confirmed that Lazarus is behind the $100 million cryptocurrency theft from the Harmony Bridge platform.

    The recent Lazarus attack on the 3CX supply chain marks another resounding success for the North Korean cybercriminals who are terrifying the global cyber community.

    Author DeepWeb
    The Xiaoqiying group attacked South Korea, and now they are targeting the West
    Infoblox experts have discovered a new set of Decoy Dog malware

    Comments 0

    Add comment