The Lazarus Group, a North Korea-aligned state-sponsored actor, has been attributed to a new campaign called Operation Dream Job that targets Linux users.

In a report recently published, analists from cybersecurity firm ESET revealed that this social engineering scheme involves fraudulent job offers that trick unsuspecting targets into downloading malware.

The attack chain involves a fake HSBC job offer as a decoy within a ZIP archive file that delivers a Linux backdoor named SimplexTea distributed via an OpenDrive cloud storage account.

The method used to distribute the ZIP file is suspected to be either spear-phishing or direct messages on LinkedIn.

The Lazarus Group has also been linked to a recent supply chain attack on VoIP software developer 3CX.

Indicators of Compromise

SHA-1/Domain/IP
0CA1723AFE261CD85B05C9EF424FC50290DCE7DF
3A63477A078CE10E53DFB5639E35D74F93CEFA81
9D8BADE2030C93D0A010AA57B90915EB7D99EC82
F6760FB1F8B019AF2304EA6410001B63A1809F1D
od[.]lk
journalide[.]org
23.254.211[.]230
38.108.185[.]79
38.108.185[.]115
172.93.201[.]88

MITRE ATT&CK techniques

Tactic ID Name Description
Reconnaissance T1593.001 Search Open Websites/Domains: Social Media Lazarus attackers probably approached a target with a fake HSBC-themed job offer that would fit the target’s interest. This has been done mostly via LinkedIn in the past.
Resource Development T1584.001 Acquire Infrastructure: Domains Unlike many previous cases of compromised C&Cs used in Operation DreamJob, Lazarus operators registered their own domain for the Linux target.
  T1587.001 Develop Capabilities: Malware Custom tools from the attack are very likely developed by the attackers.
  T1585.003 Establish Accounts: Cloud Accounts The attackers hosted the final stage on the cloud service OpenDrive.
  T1608.001 Stage Capabilities: Upload Malware The attackers hosted the final stage on the cloud service OpenDrive.
Execution T1204.002 User Execution: Malicious File OdicLoader masquerades as a PDF file in order to fool the target.
Initial Access T1566.002 Phishing: Spearphishing Link The target likely received a link to third-party remote storage with a malicious ZIP archive, which was later submitted to VirusTotal.
Persistence T1546.004 Event Triggered Execution: Unix Shell Configuration Modification OdicLoader modifies the victim’s Bash profile, so SimplexTea is launched each time Bash is stared and its output is muted.
Defense Evasion T1134.002 Access Token Manipulation: Create Process with Token SimplexTea can create a new process, if instructed by its C&C server.
  T1140 Deobfuscate/Decode Files or Information SimplexTea stores its configuration in an encrypted apdl.cf.
  T1027.009 Obfuscated Files or Information: Embedded Payloads The droppers of all malicious chains contain an embedded data array with an additional stage.
  T1562.003 Impair Defenses: Impair Command History Logging OdicLoader modifies the victim’s Bash profile, so the output and error messages from SimplexTea are muted. SimplexTea executes new processes with the same technique.
  T1070.004 Indicator Removal: File Deletion SimplexTea has the ability to delete files securely.
  T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion SimplexTea implements multiple custom sleep delays in its execution.
Discovery T1083 File and Directory Discovery SimplexTea can list the directory content together with their names, sizes, and timestamps (mimicking the ls -la command).
Command and Control T1071.001 Application Layer Protocol: Web Protocols SimplexTea can use HTTP and HTTPS for communication with its C&C server, using a statically linked Curl library.
  T1573.001 Encrypted Channel: Symmetric Cryptography SimplexTea encrypts C&C traffic using the AES-GCM algorithm.
  T1132.001 Data Encoding: Standard Encoding SimplexTea encodes C&C traffic using base64.
  T1090 Proxy SimplexTea can utilize a proxy for communications.
Exfiltration T1041 Exfiltration Over C2 Channel SimplexTea can exfiltrate data as ZIP archives to its C&C server.