The notorious North Korea-aligned point out-sponsored actor recognised as the Lazarus Group has been attributed to a new marketing campaign aimed at Linux buyers.
The attacks are part of a persistent and very long-running exercise tracked underneath the title Operation Dream Job, ESET reported in a new report posted nowadays.
The findings are critical, not least simply because it marks the 1st publicly documented example of the adversary employing Linux malware as section of this social engineering plan.
Procedure Desire Job, also known as DeathNote or NukeSped, refers to many attack waves wherein the group leverages fraudulent position features as a entice to trick unsuspecting targets into downloading malware. It also exhibits overlaps with two other Lazarus clusters known as Procedure In(ter)ception and Operation North Star.
The attack chain uncovered by ESET is no unique in that it delivers a fake HSBC career provide as a decoy in just a ZIP archive file that is then utilized to launch a Linux backdoor named SimplexTea dispersed via an OpenDrive cloud storage account.
Even though the exact approach applied to distribute the ZIP file is not acknowledged, it is really suspected to be both spear-phishing or direct messages on LinkedIn. The backdoor, penned in C++, bears similarities to BADCALL, a Windows trojan earlier attributed to the team.
Moreover, ESET said it determined commonalities between artifacts utilized in the Dream Work marketing campaign and those people unearthed as element of the supply chain attack on VoIP application developer 3CX that arrived to mild last thirty day period.
Future WEBINARDefend with Deception: Advancing Zero Trust Security
Explore how Deception can detect superior threats, prevent lateral motion, and enhance your Zero Trust strategy. Be part of our insightful webinar!
Conserve My Seat!
This also incorporates the command-and-command (C2) area “journalide[.]org,” which was detailed as just one of the 4 C2 servers employed by malware families detected inside the 3CX atmosphere.
Indications are that preparations for the provide chain attack had been underway since December 2022, when some of the components were dedicated to the GitHub code-hosting platform.
The findings not only strengthen the current link concerning Lazarus Team and the 3CX compromise, but also demonstrates the danger actor’s ongoing good results with staging source chain assaults since 2020.
Located this post exciting? Abide by us on Twitter and LinkedIn to read through extra exclusive content material we put up.
Some parts of this article are sourced from:
thehackernews.com