author photo
By Cam Sivesind
Fri | Apr 21, 2023 | 8:48 AM PDT

ESET researchers have discovered a new Lazarus Group campaign targeting Linux users.

According to a recent blog post: "Operation DreamJob is the name for a series of campaigns where the group uses social engineering techniques to compromise its targets, with fake job offers as the lure. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload: the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account. To our knowledge, this is the first public mention of this major North Korea-aligned threat actor using Linux malware as part of this operation."

Here are some comments from vendor industry experts:

Zane Bond, Head of Product at Keeper Security:

"When an adversary launches a campaign, that adversary has a purpose, and the tools used can help discern the details of that purpose.

Most campaigns the general public are exposed to are 'wide net,' low-confidence and low-click rate cyberattacks. The idea is if a bad actor sends a hundred-million emails and can get one out of a million recipients to click on it, the attacker is still netting a hundred victims. If the payload is being sent to an unknown number of users, the operating system with the highest chance of success is Windows, by a large margin.

When an adversary starts building phishing payloads for Mac, and the even less common Linux, we can assume the attacker is spear phishing, or sending the malicious email to pre-selected, and likely high-value, targets. When Linux systems are attacked, the targets are almost exclusively servers and the cloud. In these cases, the attacker knows who to target for access and can tailor messaging and social engineering efforts to that specific victim.

Luckily, no matter what OS you are running, the same basic protections apply. Don’t make risky clicks, patch your systems and use a password manager. These three simple measures will shut down most cyberattacks. Zero-click malware is usually easily detected and patched, so as long as your system is up to date, you should be safe. Standard malware that requires user intervention can be prevented by avoiding risky clicks. And lastly, a password manager autofill will be able to identify small, but easy-to-miss details like SSL certs, cross-domain iFrames, and fake websites."

John Anthony Smith, CEO at Conversant Group:

"This attack shows, in full color, how threat actors continue to expand their arsenal, targets, tactics, and reach to get around security controls and practices. The fact that they used a supply chain attack isn't itself new or surprising; supply chains are an Achilles' heel for organizations, and it was inevitable that, eventually, one supply chain may affect another into a 'threaded supply chain attack.'

This is a major (and unfortunate) milestone in security; but we will probably see more of these. We are seeing threat actors expanding their variants to affect more systems (such as BlackCat using the Rust language so that their ransomware can infect Linux systems), and be more undetectable, such as this case of purportedly employing Linux malware. It's a new look on the old 'fake offer' scenario. Threat actors will continue to find new twists, variants, schemes, and vectors—so organizations must always be agile in evaluating their controls regularly along with these changing and expanding tactics."

Bud Broomhead, CEO at Viakoo:

"Having Linux malware in the threat actor arsenal is a reflection on how have shifted their focus to include exploiting vulnerable IoT/OT devices, which exist at much higher scale than IT systems and often are not managed with the same focus on cybersecurity as IT devices.

IoT/OT devices are functionally cyber-physical systems, where there is a physical element to their operation (adjust valves, open doors, capture video); in essence, these devices are the eyes, ears, and hands of an organization. Nation-state threat actors in particular look to infect and have a foothold in cyber-physical system infrastructure because of their potential to disrupt and confuse their victims."

The part of the attack affecting systems running macOS was covered in detail in a Twitter thread and a blog post by security researcher Patrick Wardle.

Comments