32.Lock Code Circular Esm W900

New cyber research connects the infamous North Korea-aligned Lazarus Group behind the Linux malware attack called Operation DreamJob to the 3CX supply-chain attack.

In the company’s April 20 Live Security cyber report, ESET researchers announced a connection between the Lazarus Group and expanded attacks now targeting the Linux OS. The attacks are part of a persistent and long-running activity tracked under the name Operation DreamJob that impacted supply chains, according to the ESET cybersecurity team.

Lazarus Group uses social engineering techniques to compromise targets, with fake job offers as the lure. In this case, ESET researchers reconstructed the entire chain from the zip file that delivers a fake HSBC job offer as a decoy to the final payload. Researchers identified the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account.

This is the first public mention of this major North Korea-aligned threat actor using Linux malware as part of this operation, according to ESET. This discovery helped the team confirm “with a high level of confidence” that the Lazarus Group conducted the recent 3CX supply-chain attack.

Researchers suspected for some time that Korean state-sponsored attackers were involved in the ongoing DreamJob cyberattacks. This latest report corroborates that connection, according to the blog post.

“This attack shows, in full color, how threat actors continue to expand their arsenal, targets, tactics, and reach to get around security controls and practices,” John Anthony Smith, CEO of infrastructure and cybersecurity services firm Conversant Group, told LinuxInsider.