Security News > 2023 > April > Lazarus hackers now push Linux malware via fake job offers

A new Lazarus campaign considered part of "Operation DreamJob" has been discovered targeting Linux users with malware for the first time.

Lazarus' Operation DreamJob, also known as Nukesped, is an ongoing operation targeting people who work in software or DeFi platforms with fake job offers on LinkedIn or other social media and communication platforms.

In the case discovered by ESET, Lazarus distributes a ZIP archive named "HSBC job offer.pdf.zip" through spearphishing or direct messages on LinkedIn.

Upon analysis of SimplexTea, ESET determined it is very similar in functionality, encryption techniques, and hardcoded infrastructure used with Lazarus' Windows malware named "BadCall," as well as the macOS variant called "SimpleSea."

"Taking a look at the three 32-bit integers, 0xC2B45678, 0x90ABCDEF, and 0xFE268455 from Figure 5, which represent a key for a custom implementation of the A5/1 cipher, we realized that the same algorithm and the identical keys were used in Windows malware that dates back to the end of 2014 and was involved in one of the most notorious Lazarus cases: the cybersabotage of Sony Pictures Entertainment," explained ESET. The XOR key between SimplexTea and SimpleSea payloads differs; however, the configuration file uses the same name, "Apdl.cf."

Lazarus' shift to Linux malware and the 3CX attack illustrates their ever-evolving tactics, now supporting all major operating systems, including Windows and macOS. Similar Lazarus Operation DreamJob attacks have led to enormous success for the threat actors, allowing them to steal $620 million from Axie Infinity.

News URL

https://www.bleepingcomputer.com/news/security/lazarus-hackers-now-push-linux-malware-via-fake-job-offers/