Lazarus Group Shifts Focus To Linux Malware In Unexpected Business Pivot

CryptoMode KryptoCibule Malware Web3 FBI NetWire

The infamous Lazarus Group, a North Korea-affiliated state-sponsored cybercriminal organization, has expanded its malicious activities by targeting Linux users in a new campaign. Researchers at ESET have published a report outlining the group’s latest endeavors, which fall under the umbrella of Operation Dream Job. It marks the first instance of the Lazarus Group employing Linux malware as part of their social engineering tactics.

Operation Dream Job: Exploiting Job Offers to Distribute Malware

Operation Dream Job, or DeathNote or NukeSped, consists of multiple attack waves that exploit fraudulent job offers to deceive victims into downloading malware. The campaign shares commonalities with two other Lazarus Group operations: Operation In(ter)ception and Operation North Star.

ESET’s investigation has revealed that the Lazarus Group distributes a counterfeit HSBC job offer within a ZIP archive file as part of their attack chain. Once the ZIP file is opened, a Linux backdoor named SimplexTea is launched, which is distributed via an OpenDrive cloud storage account.

While the actual means of disseminating the ZIP file remains unclear, researchers speculate that it could be through spear-phishing emails or direct LinkedIn messages. In addition, the SimplexTea backdoor, written in C++, exhibits similarities to BADCALL, a Windows trojan previously linked to the Lazarus Group.

Connection to 3CX Supply Chain Attack: Shared Artifacts and C2 Domains

ESET’s research has also established connections between the artifacts employed in Operation Dream Job and those discovered in the supply chain attack against VoIP software developer 3CX. One such link is the command-and-control (C2) domain “journalide[.]org,” which served as one of the four C2 servers utilized by malware strains found within the 3CX environment.

The groundwork for the supply chain attack began as early as December 2022, when some components were submitted to the GitHub code-hosting platform.

The findings reinforce the association between the Lazarus Group and the 3CX compromise. They also highlight the cybercriminal organization’s ongoing success in executing supply chain attacks since 2020. 

This latest campaign targeting Linux users demonstrates the group’s adaptability and determination to infiltrate new platforms in pursuit of their malicious objectives.

Heightened Vigilance Needed to Combat Cyber Threats

As the Lazarus Group continues to evolve and expand its attack methods, organizations and individuals must remain vigilant in safeguarding their digital assets. 

The emergence of Operation Dream Job targeting Linux users is a reminder that no platform is immune to cyber threats and malware. Constant security updates and best practices are essential to mitigating the risk of cyber attacks.

None of the information on this website is investment or financial advice and does not necessarily reflect the views of CryptoMode or the author. CryptoMode is not responsible for any financial losses sustained by acting on information provided on this website by its authors or clients. Always conduct your research before making financial commitments, especially with third-party reviews, presales, and other opportunities.