Lazarus’ “Operation DreamJob” campaign targets Linux users
ESET has discovered a new Lazarus campaign as part of “Operation DreamJob,” marking the first instance of malware targeting Linux users and verifying Lazarus’ participation in the recent supply-chain assault on VoIP operator 3CX.
Lazarus’ “Operation DreamJob” campaign, also known as Nukesped, is a continuous operation that specifically targets persons engaged in software or DeFi systems. This social engineering assault works by tempting victims with bogus job offers on professional networking sites like LinkedIn.
The attackers expertly create false documents that appear to include thorough job descriptions but are actually malware-laden files. Multiple firms were hacked as a result of the assault because they had installed a trojanized version of the 3CX client, which resulted in the deployment of information-stealing trojans.
ESET’s investigation into Lazarus’ Linux-focused attack revealed that the threat actor distributed a deceptive ZIP archive titled “HSBC job offer.pdf.zip” through spearphishing or direct messages on LinkedIn. Concealed within this archive is a Linux binary coded in Go. The malicious actors employ a Unicode character in the filename, disguising it as a PDF to dupe unsuspecting victims. ESET explains that the use of a leader dot represented by the U+2024 Unicode character in the filename was likely an attempt to trick file managers into treating the file as an executable rather than a PDF, causing it to run upon double-clicking instead of opening with a PDF viewer.
Upon launching the file, the malware, dubbed “OdicLoader,” presents a decoy PDF to distract the victim while concurrently initiating the download of a second-stage malware payload from a private repository hosted on the OpenDrive cloud service. The second-stage payload, a C++ backdoor known as “SimplexTea,” is dropped at the location “~/.config/guiconfigd. SimplexTea.” OdicLoader also alters the user’s ~/.bash_profile to ensure that SimplexTea is executed with Bash, with its output muted each time a new shell session is initiated.
If clicked, the malware, named as OdicLoader, shows a fake PDF whilst downloading a payload in the background, which following further examination by ESET, looks to target Linux VMware virtual machines.
The sources for this piece include an article in WeLiveSecurity.