For the first time, a new Lazarus campaign considered a part of “Operation DreamJob” has been found to target Linux users with malware. The latest supply-chain attack against VoIP operator 3CX was carried out by Lazarus, as confirmed with high confidence by ESET experts who found this new targeting. The hack, which compromised several businesses using the 3CX client infected with information-stealing trojans, was only identified in March 2023.
Lazarus was previously suspected of carrying out the attack, and several cybersecurity firms concurred with great certainty that the threat actor that trojanized 3CX was connected to North Korea. The findings of Mandiant’s research into the 3CX hack were recently revealed, and they further link the assault to North Korean threat actors. After a worker loaded trading software from Trading Technologies, whose installer had been trojanized in a different North Korean supply chain hack, Mandiant claims that 3CX’s developer environment was compromised.
Operation DreamJob by Lazarus, also known as Nukesped, targets individuals who work in the software or DeFi industries by posting phony job offers on LinkedIn and other social networking and communication platforms. These social engineering attacks aim to deceive targets into downloading malicious files disguising themselves as legitimate papers containing information about the advertised position.
These documents, however, infect the victim’s machine with malware. In the instance identified by ESET, Lazarus disseminates a ZIP archive with the name “HSBC job offer.pdf.zip” via LinkedIn direct messaging or spearphishing. A Go-written Linux binary that imitates a PDF by using a Unicode character on its name is concealed inside the archive.
“Interestingly, the file extension is not .pdf. This is because the apparent dot character in the filename is a leader dot represented by the U+2024 Unicode character,” explains ESET. “The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as an executable instead of a PDF.”
The malware, known as “OdicLoader,” shows a bogus PDF and downloads a second-stage malware payload from a private repository housed on the OpenDrive cloud service when the recipient double-clicks the file to open it. The “SimplexTea” C++ backdoor that is dropped at “~/.config/guiconfigd. SimplexTea” is the second-stage payload. In order to run SimplexTea with Bash and mute its output every time the user launches a new shell session, OdicLoader additionally updates the user’s ~/.bash_profile.
After analyzing SimplexTea, ESET discovered that it has many characteristics with Lazarus’ Windows malware, known as “BadCall,” as well as the macOS equivalent known as “SimpleSea,” including functionality, encryption methods, and hardcoded infrastructure. Additionally, “sysnetd,” an older iteration of the SimplexTea malware comparable to the backdoors mentioned above but written in C, was discovered by ESET on VirusTotal.
The VMware Guest Authentication service uses a file with the name /tmp/vgauthsvclog to save settings for that older version. This implies the targeted system may be a VMware virtual machine running Linux. ESET investigators also discovered that the SimpleSea malware uses an XOR key previously found by the 3CX investigation when the sysnetd backdoor is exploited.
“Taking a look at the three 32-bit integers, 0xC2B45678, 0x90ABCDEF, and 0xFE268455 from Figure 5, which represent a key for a custom implementation of the A5/1 cipher, we realized that the same algorithm and the identical keys were used in Windows malware that dates back to the end of 2014 and was involved in one of the most notorious Lazarus cases: the cybersabotage of Sony Pictures Entertainment,” explained ESET.
SimplexTea and SimpleSea payloads have different XOR keys, although their configuration files have the same name, “apdl.cf.” The 3CX attack and Lazarus’ switch to Linux malware are two examples of how their strategies are constantly changing and now support Windows and macOS in addition to Linux. Threat actors have had great success with similar Lazarus Operation DreamJob attacks, which let them to steal $620 million from Axie Infinity.
The $100 million bitcoin heist from the Harmony Bridge was carried out by Lazarus, according to the FBI’s confirmation. The current supply-chain attack by Lazarus on 3CX is another well-publicized triumph for the renowned cyber gang.