Rewterz Threat Alert – North Korean Lazarus APT group Push Linux Malware In Recent Attacks Via Fake Job Offers – Active IOCs

Severity

High

Analysis Summary

The North Korea-linked APT group, Lazarus, has been identified as the culprit behind a new campaign called Operation DreamJob, also known as DeathNote or NukeSped. This campaign reportedly used Linux malware and social engineering techniques, specifically fake job offers, to compromise its targets.

According to the researchers, the attack begins with spear-phishing emails or direct messages on LinkedIn that deliver a ZIP file. The ZIP file contains a fake job offer from HSBC and a native 64-bit Intel Linux binary written in Go, which is named “HSBC job offer.pdf.”

When the victim opens the binary file, it launches a backdoor, allowing the attacker to gain unauthorized access to the victim’s system. From there, the attacker can carry out various malicious activities, including stealing sensitive data, planting additional malware, and executing remote commands.

Operation Dream Job, also known as DeathNote or NukeSped involves multiple attack waves where the North Korea-linked APT group, Lazarus, uses fraudulent job offers to lure unsuspecting victims into downloading malware. Operation In(ter)ception and Operation North Star, two more Lazarus clusters, show overlaps with this campaign.

When the file is executed, the attackers utilize xdg-open to show a decoy PDF user. The second-stage backdoor SimplexTea is downloaded from OpenDrive via the ELF downloader, which experts have named OdicLoader.

Researchers have identified similarities between the artifacts used in Operation Dream Job and those involved in the supply chain attack on VoIP software developer 3CX, which was discovered last month. These similarities suggest that the same threat actor may be behind both attacks and that they are part of a broader campaign. 

One of the pieces of evidence linking the supply chain attack on VoIP software developer 3CX to the Lazarus APT group is the domain journalist[.]org, which was used as one of the four command-and-control (C2) servers to control the malware involved in the attack.

According to experts, the supply chain attack has been planned since December 2022, when some of the components were uploaded on the GitHub code-hosting platform.

“It is also interesting to note that Lazarus can produce and use malware for all major desktop operating systems: Windows, macOS, and Linux. Both Windows and macOS systems were targeted during the 3CX incident, with 3CX’s VoIP software for both operating systems being trojanized to include malicious code to fetch arbitrary payloads. In the case of 3CX, both Windows and macOS second-stage malware versions exist.”, they conclude

Impact

• Information Theft and Espionage
• Exposure of Sensitive Data

Indicators of Compromise

MD5

• 3cf7232e5185109321921046d039cf10
• fc41cb8425b6432af8403959bb59430d
• aac5a52b939f3fe792726a13ff7a1747

SHA-256

• 492a643bd1efdaca4ca125ade1b606e7bbf00e995ac9115ac84d1c4c59cb66dd
• f638e5a20114019ad066dd0e856f97fd865798d8fbed1766662d970beff652ca
• cc307cfb401d1ae616445e78b610ab72e1c7fb49b298ea003dd26ea80372089a

SHA-1

• 3a63477a078ce10e53dfb5639e35d74f93cefa81
• 9d8bade2030c93d0a010aa57b90915eb7d99ec82
• f6760fb1f8b019af2304ea6410001b63a1809f1d

URL

• https://journalide.org/djour.php
• https://od.lk/d/NTJfMzg4MDE1NzJf/vxmedia

Remediation

• Block all threat indicators at your respective controls. Search for IOCs in your environment.
• Implement email security measures
• Keep software up-to-date: Ensure that all software is kept up-to-date with the latest security patches to minimize the risk of vulnerabilities being exploited.
• Use multi-factor authentication: Implement multi-factor authentication for all accounts to make it more difficult for attackers to gain access to sensitive systems and data.
• Monitor network traffic: Monitor network traffic for unusual or suspicious activity, which may indicate an attack is underway.
• Implement endpoint security: Deploy endpoint security solutions that can detect and block malware, including Linux malware.
• Conduct regular security training: Provide regular security training to all employees to ensure they are aware of the latest threats and how to protect against them.
• Conduct regular security assessments: Conduct regular security assessments to identify vulnerabilities and weaknesses that could be exploited by attackers.
• Use security intelligence feeds: Use security intelligence feeds to stay up-to-date on the latest threats and to proactively detect and prevent attacks.
• By implementing these remediation organizations can reduce their risk of falling victim to the Lazarus APT group’s attacks via fake job offers and other tactics. It’s important to note that security is a continuous process, and organizations should regularly review and update their security measures to stay ahead of evolving threats.