New Lazarus Group campaign uses fake job offers to deliver Linux malware
The Lazarus Group, a North Korea-aligned state-sponsored actor, has been attributed to a new campaign called Operation Dream Job that targets Linux users.
In a report recently published, analists from cybersecurity firm ESET revealed that this social engineering scheme involves fraudulent job offers that trick unsuspecting targets into downloading malware.
The attack chain involves a fake HSBC job offer as a decoy within a ZIP archive file that delivers a Linux backdoor named SimplexTea distributed via an OpenDrive cloud storage account.
The method used to distribute the ZIP file is suspected to be either spear-phishing or direct messages on LinkedIn.
The Lazarus Group has also been linked to a recent supply chain attack on VoIP software developer 3CX.
Indicators of Compromise
MITRE ATT&CK techniques
|Reconnaissance||T1593.001||Search Open Websites/Domains: Social Media||Lazarus attackers probably approached a target with a fake HSBC-themed job offer that would fit the target’s interest. This has been done mostly via LinkedIn in the past.|
|Resource Development||T1584.001||Acquire Infrastructure: Domains||Unlike many previous cases of compromised C&Cs used in Operation DreamJob, Lazarus operators registered their own domain for the Linux target.|
|T1587.001||Develop Capabilities: Malware||Custom tools from the attack are very likely developed by the attackers.|
|T1585.003||Establish Accounts: Cloud Accounts||The attackers hosted the final stage on the cloud service OpenDrive.|
|T1608.001||Stage Capabilities: Upload Malware||The attackers hosted the final stage on the cloud service OpenDrive.|
|Execution||T1204.002||User Execution: Malicious File||OdicLoader masquerades as a PDF file in order to fool the target.|
|Initial Access||T1566.002||Phishing: Spearphishing Link||The target likely received a link to third-party remote storage with a malicious ZIP archive, which was later submitted to VirusTotal.|
|Persistence||T1546.004||Event Triggered Execution: Unix Shell Configuration Modification||OdicLoader modifies the victim’s Bash profile, so SimplexTea is launched each time Bash is stared and its output is muted.|
|Defense Evasion||T1134.002||Access Token Manipulation: Create Process with Token||SimplexTea can create a new process, if instructed by its C&C server.|
|T1140||Deobfuscate/Decode Files or Information||SimplexTea stores its configuration in an encrypted apdl.cf.|
|T1027.009||Obfuscated Files or Information: Embedded Payloads||The droppers of all malicious chains contain an embedded data array with an additional stage.|
|T1562.003||Impair Defenses: Impair Command History Logging||OdicLoader modifies the victim’s Bash profile, so the output and error messages from SimplexTea are muted. SimplexTea executes new processes with the same technique.|
|T1070.004||Indicator Removal: File Deletion||SimplexTea has the ability to delete files securely.|
|T1497.003||Virtualization/Sandbox Evasion: Time Based Evasion||SimplexTea implements multiple custom sleep delays in its execution.|
|Discovery||T1083||File and Directory Discovery||SimplexTea can list the directory content together with their names, sizes, and timestamps (mimicking the ls -la command).|
|Command and Control||T1071.001||Application Layer Protocol: Web Protocols||SimplexTea can use HTTP and HTTPS for communication with its C&C server, using a statically linked Curl library.|
|T1573.001||Encrypted Channel: Symmetric Cryptography||SimplexTea encrypts C&C traffic using the AES-GCM algorithm.|
|T1132.001||Data Encoding: Standard Encoding||SimplexTea encodes C&C traffic using base64.|
|T1090||Proxy||SimplexTea can utilize a proxy for communications.|
|Exfiltration||T1041||Exfiltration Over C2 Channel||SimplexTea can exfiltrate data as ZIP archives to its C&C server.|