Security News > 2023 > April > Lazarus hackers now push Linux malware via fake job offers
A new Lazarus campaign considered part of "Operation DreamJob" has been discovered targeting Linux users with malware for the first time.
Lazarus' Operation DreamJob, also known as Nukesped, is an ongoing operation targeting people who work in software or DeFi platforms with fake job offers on LinkedIn or other social media and communication platforms.
In the case discovered by ESET, Lazarus distributes a ZIP archive named "HSBC job offer.pdf.zip" through spearphishing or direct messages on LinkedIn.
Upon analysis of SimplexTea, ESET determined it is very similar in functionality, encryption techniques, and hardcoded infrastructure used with Lazarus' Windows malware named "BadCall," as well as the macOS variant called "SimpleSea."
"Taking a look at the three 32-bit integers, 0xC2B45678, 0x90ABCDEF, and 0xFE268455 from Figure 5, which represent a key for a custom implementation of the A5/1 cipher, we realized that the same algorithm and the identical keys were used in Windows malware that dates back to the end of 2014 and was involved in one of the most notorious Lazarus cases: the cybersabotage of Sony Pictures Entertainment," explained ESET. The XOR key between SimplexTea and SimpleSea payloads differs; however, the configuration file uses the same name, "Apdl.cf."
Lazarus' shift to Linux malware and the 3CX attack illustrates their ever-evolving tactics, now supporting all major operating systems, including Windows and macOS. Similar Lazarus Operation DreamJob attacks have led to enormous success for the threat actors, allowing them to steal $620 million from Axie Infinity.
News URL
Related news
- Chinese hackers target Linux with new WolfsBane malware (source)
- North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS (source)
- North Korean hackers use new macOS malware against crypto firms (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- Unpatched Mazda Connect bugs let hackers install persistent malware (source)
- North Korean Hackers Target macOS Using Flutter-Embedded Malware (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (source)