New Lazarus Group campaign uses fake job offers to deliver Linux malware
The Lazarus Group, a North Korea-aligned state-sponsored actor, has been attributed to a new campaign called Operation Dream Job that targets Linux users.
In a report recently published, analists from cybersecurity firm ESET revealed that this social engineering scheme involves fraudulent job offers that trick unsuspecting targets into downloading malware.
The attack chain involves a fake HSBC job offer as a decoy within a ZIP archive file that delivers a Linux backdoor named SimplexTea distributed via an OpenDrive cloud storage account.
The method used to distribute the ZIP file is suspected to be either spear-phishing or direct messages on LinkedIn.
The Lazarus Group has also been linked to a recent supply chain attack on VoIP software developer 3CX.
Indicators of Compromise
SHA-1/Domain/IP |
---|
0CA1723AFE261CD85B05C9EF424FC50290DCE7DF |
3A63477A078CE10E53DFB5639E35D74F93CEFA81 |
9D8BADE2030C93D0A010AA57B90915EB7D99EC82 |
F6760FB1F8B019AF2304EA6410001B63A1809F1D |
od[.]lk |
journalide[.]org |
23.254.211[.]230 |
38.108.185[.]79 |
38.108.185[.]115 |
172.93.201[.]88 |
MITRE ATT&CK techniques
Tactic | ID | Name | Description |
---|---|---|---|
Reconnaissance | T1593.001 | Search Open Websites/Domains: Social Media | Lazarus attackers probably approached a target with a fake HSBC-themed job offer that would fit the target’s interest. This has been done mostly via LinkedIn in the past. |
Resource Development | T1584.001 | Acquire Infrastructure: Domains | Unlike many previous cases of compromised C&Cs used in Operation DreamJob, Lazarus operators registered their own domain for the Linux target. |
T1587.001 | Develop Capabilities: Malware | Custom tools from the attack are very likely developed by the attackers. | |
T1585.003 | Establish Accounts: Cloud Accounts | The attackers hosted the final stage on the cloud service OpenDrive. | |
T1608.001 | Stage Capabilities: Upload Malware | The attackers hosted the final stage on the cloud service OpenDrive. | |
Execution | T1204.002 | User Execution: Malicious File | OdicLoader masquerades as a PDF file in order to fool the target. |
Initial Access | T1566.002 | Phishing: Spearphishing Link | The target likely received a link to third-party remote storage with a malicious ZIP archive, which was later submitted to VirusTotal. |
Persistence | T1546.004 | Event Triggered Execution: Unix Shell Configuration Modification | OdicLoader modifies the victim’s Bash profile, so SimplexTea is launched each time Bash is stared and its output is muted. |
Defense Evasion | T1134.002 | Access Token Manipulation: Create Process with Token | SimplexTea can create a new process, if instructed by its C&C server. |
T1140 | Deobfuscate/Decode Files or Information | SimplexTea stores its configuration in an encrypted apdl.cf. | |
T1027.009 | Obfuscated Files or Information: Embedded Payloads | The droppers of all malicious chains contain an embedded data array with an additional stage. | |
T1562.003 | Impair Defenses: Impair Command History Logging | OdicLoader modifies the victim’s Bash profile, so the output and error messages from SimplexTea are muted. SimplexTea executes new processes with the same technique. | |
T1070.004 | Indicator Removal: File Deletion | SimplexTea has the ability to delete files securely. | |
T1497.003 | Virtualization/Sandbox Evasion: Time Based Evasion | SimplexTea implements multiple custom sleep delays in its execution. | |
Discovery | T1083 | File and Directory Discovery | SimplexTea can list the directory content together with their names, sizes, and timestamps (mimicking the ls -la command). |
Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | SimplexTea can use HTTP and HTTPS for communication with its C&C server, using a statically linked Curl library. |
T1573.001 | Encrypted Channel: Symmetric Cryptography | SimplexTea encrypts C&C traffic using the AES-GCM algorithm. | |
T1132.001 | Data Encoding: Standard Encoding | SimplexTea encodes C&C traffic using base64. | |
T1090 | Proxy | SimplexTea can utilize a proxy for communications. | |
Exfiltration | T1041 | Exfiltration Over C2 Channel | SimplexTea can exfiltrate data as ZIP archives to its C&C server. |