Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack
Contents
Similarities with newly discovered Linux malware used in Operation DreamJob corroborate the theory that the infamous North Korea-aligned group is behind the 3CX supply-chain attack
ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users. Operation DreamJob is the name for a series of campaigns where the group uses social engineering techniques to compromise its targets, with fake job offers as the lure. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload: the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account. To our knowledge, this is the first public mention of this major North Korea-aligned threat actor using Linux malware as part of this operation.
Additionally, this discovery helped us confirm with a high level of confidence that the recent 3CX supply-chain attack was in fact …
ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users. Operation DreamJob is the name for a series of campaigns where the group uses social engineering techniques to compromise its targets, with fake job offers as the lure. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload: the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account. To our knowledge, this is the first public mention of this major North Korea-aligned threat actor using Linux malware as part of this operation.
Additionally, this discovery helped us confirm with a high level of confidence that the recent 3CX supply-chain attack was in fact …
IoC
/*
The following rule will only work with YARA version >= 3.11.0
*/
import "pe"
rule RichHeaders_Lazarus_NukeSped_IconicPayloads_3CX_Q12023
{
meta:
description = " Rich Headers-based rule covering the IconicLoader and IconicStealer from the 3CX supply chain incident, and also payloads from the cryptocurrency campaigns from 2022-12"
author = "ESET Research"
date = "2023-03-31"
hash = "3B88CDA62CDD918B62EF5AA8C5A73A46F176D18B"
hash = "CAD1120D91B812ACAFEF7175F949DD1B09C6C21A"
hash = "5B03294B72C0CAA5FB20E7817002C600645EB475"
hash = "7491BD61ED15298CE5EE5FFD01C8C82A2CDB40EC"
condition:
pe.rich_signature.toolid(259, 30818) == 9 and
pe.rich_signature.toolid(256, 31329) == 1 and
pe.rich_signature.toolid(261, 30818) >= 30 and pe.rich_signature.toolid(261, 30818) <= 38 and
pe.rich_signature.toolid(261, 29395) >= 134 and pe.rich_signature.toolid(261, 29395) <= 164 and
pe.rich_signature.toolid(257, 29395) >= 6 and pe.rich_signature.toolid(257, 29395) <= 14
}
0CA1723AFE261CD85B05C9EF424FC50290DCE7DF
172.93.201.88
1C66E67A8531E3FF1C64AE57E6EDFDE7BEF2352D
23.254.211.230
2ACC6F1D4656978F4D503929B8C804530D7E7CF6
38.108.185.115
38.108.185.79
3A63477A078CE10E53DFB5639E35D74F93CEFA81
3B88CDA62CDD918B62EF5AA8C5A73A46F176D18B
3CF7232E5185109321921046D039CF10
492A643BD1EFDACA4CA125ADE1B606E7BBF00E995AC9115AC84D1C4C59CB66DD
58B0516D28BD7218B1908FB266B8FE7582E22A5F
5B03294B72C0CAA5FB20E7817002C600645EB475
65122E5129FC74D6B5EBAFCC3376ABAE0145BC14
7491BD61ED15298CE5EE5FFD01C8C82A2CDB40EC
9D8BADE2030C93D0A010AA57B90915EB7D99EC82
AAC5A52B939F3FE792726A13FF7A1747
CAD1120D91B812ACAFEF7175F949DD1B09C6C21A
CC307CFB401D1AE616445E78B610AB72E1C7FB49B298EA003DD26EA80372089A
CEDB9CDBAD254F60CFB215B9BFF84FB9
D288766FA268BC2534F85FD06A5D52264E646C47
DCEF83D8EE080B54DC54759C59F955E73D67AA65
EEBB01932DE0B5605DD460CC82844D8693C00EA8AB5FFDF8DBEDE6528C1C18FD
F638E5A20114019AD066DD0E856F97FD865798D8FBED1766662D970BEFF652CA
F6760FB1F8B019AF2304EA6410001B63A1809F1D
FC41CB8425B6432AF8403959BB59430D
http://172.93.201.88
http://23.254.211.230
http://38.108.185.115
http://38.108.185.79
http://journalide.org
http://od.lk
https://journalide.org/djour.php
https://od.lk/d/NTJfMzg4MDE1NzJf/vxmedia
The following rule will only work with YARA version >= 3.11.0
*/
import "pe"
rule RichHeaders_Lazarus_NukeSped_IconicPayloads_3CX_Q12023
{
meta:
description = " Rich Headers-based rule covering the IconicLoader and IconicStealer from the 3CX supply chain incident, and also payloads from the cryptocurrency campaigns from 2022-12"
author = "ESET Research"
date = "2023-03-31"
hash = "3B88CDA62CDD918B62EF5AA8C5A73A46F176D18B"
hash = "CAD1120D91B812ACAFEF7175F949DD1B09C6C21A"
hash = "5B03294B72C0CAA5FB20E7817002C600645EB475"
hash = "7491BD61ED15298CE5EE5FFD01C8C82A2CDB40EC"
condition:
pe.rich_signature.toolid(259, 30818) == 9 and
pe.rich_signature.toolid(256, 31329) == 1 and
pe.rich_signature.toolid(261, 30818) >= 30 and pe.rich_signature.toolid(261, 30818) <= 38 and
pe.rich_signature.toolid(261, 29395) >= 134 and pe.rich_signature.toolid(261, 29395) <= 164 and
pe.rich_signature.toolid(257, 29395) >= 6 and pe.rich_signature.toolid(257, 29395) <= 14
}
0CA1723AFE261CD85B05C9EF424FC50290DCE7DF
172.93.201.88
1C66E67A8531E3FF1C64AE57E6EDFDE7BEF2352D
23.254.211.230
2ACC6F1D4656978F4D503929B8C804530D7E7CF6
38.108.185.115
38.108.185.79
3A63477A078CE10E53DFB5639E35D74F93CEFA81
3B88CDA62CDD918B62EF5AA8C5A73A46F176D18B
3CF7232E5185109321921046D039CF10
492A643BD1EFDACA4CA125ADE1B606E7BBF00E995AC9115AC84D1C4C59CB66DD
58B0516D28BD7218B1908FB266B8FE7582E22A5F
5B03294B72C0CAA5FB20E7817002C600645EB475
65122E5129FC74D6B5EBAFCC3376ABAE0145BC14
7491BD61ED15298CE5EE5FFD01C8C82A2CDB40EC
9D8BADE2030C93D0A010AA57B90915EB7D99EC82
AAC5A52B939F3FE792726A13FF7A1747
CAD1120D91B812ACAFEF7175F949DD1B09C6C21A
CC307CFB401D1AE616445E78B610AB72E1C7FB49B298EA003DD26EA80372089A
CEDB9CDBAD254F60CFB215B9BFF84FB9
D288766FA268BC2534F85FD06A5D52264E646C47
DCEF83D8EE080B54DC54759C59F955E73D67AA65
EEBB01932DE0B5605DD460CC82844D8693C00EA8AB5FFDF8DBEDE6528C1C18FD
F638E5A20114019AD066DD0E856F97FD865798D8FBED1766662D970BEFF652CA
F6760FB1F8B019AF2304EA6410001B63A1809F1D
FC41CB8425B6432AF8403959BB59430D
http://172.93.201.88
http://23.254.211.230
http://38.108.185.115
http://38.108.185.79
http://journalide.org
http://od.lk
https://journalide.org/djour.php
https://od.lk/d/NTJfMzg4MDE1NzJf/vxmedia