Lazarus Group Adds Linux Malware to Arsenal in Operation Dream Job

In March 2023, a cyber attack was uncovered that had compromised several companies by utilizing a trojanized version of the 3CX client, which included information-stealing trojans.
Suspicions were already
circulating that Lazarus, a notorious threat actor, was behind the attack.
Multiple cybersecurity firms have now concurred, with high confidence, that the group responsible for the trojanization of 3CX has links to
North Korea.
Lazarus is conducting an ongoing operation known as “Operation DreamJob” or “Nukesped,” which targets individuals who work in software or DeFi platforms.
The operation involves social engineering attacks that utilize fake job offers on platforms such as LinkedIn or other communication channels to trick victims into downloading malicious files.
These files are disguised as documents containing details about the job offer but instead drop malware onto the victim’s computer.

ESET researchers discovered a specific instance of this operation where Lazarus distributed a ZIP archive named “HSBC job offer.pdf.zip” via spearphishing or direct messages on LinkedIn.
The archive contained a Linux binary written in Go that used a Unicode character in its name to make it appear like a PDF.
ESET notes that the file extension is not actually .pdf, as the apparent dot character in the filename is a leader dot represented by the U+2024 Unicode character.
The reason for using the leader dot in the filename was likely an attempt to deceive the file manager into treating the file as an executable rather than a PDF.
This tactic could result in the file running automatically upon double-clicking it, rather than opening it with a PDF viewer.

When the recipient clicks on the file, a malware variant known as “OdicLoader” is launched.
OdicLoader initially displays a fake PDF while also downloading a second-stage malware payload from a private repository hosted on the OpenDrive cloud service.
The second-stage payload is a C++ backdoor called “SimplexTea,” which is deposited at the location “~/.config/guiconfigd.
SimplexTea.” To ensure that SimplexTea is launched with Bash and its output is muted whenever a new shell session is initiated, OdicLoader modifies the user’s
~/.bash_profile.

ESET researchers have discovered similarities between the artifacts used in the Dream Job campaign and those employed in the recent supply chain attack on VoIP software developer 3CX.
For example, both campaigns used the same command-and-control (C2) domain, “journalide[.]org,” which was identified as one www.sisainfos