ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users, which corroborates the theory that the infamous North Korea-aligned group is behind the 3CX supply-chain attack, according to a blog post by the cybersecurity firm. Operation DreamJob is the name for a series of campaigns where the group uses social engineering techniques to compromise its targets, with fake job offers as the lure. In this case, the group used a fake job offer from HSBC as a decoy to persuade unsuspecting Linux users to download and execute malicious files. The full chain, from the ZIP file to the final payload, was reconstructed by ESET researchers.
The 3CX supply-chain attack, discovered in March 2023, saw an international VoIP software developer and distributor compromised, with malicious code added to its software that enabled attackers to download and run arbitrary code on all machines where the application was installed. While it was quickly determined that 3CX was not responsible for the malicious code, the source of the attack remained undetermined until now. Security researchers have suspected that North Korea-aligned Lazarus was behind the attack since it was first discovered, and ESET’s latest findings have confirmed this theory.
The perpetrators had planned the attacks long before execution, as early as December 2022, with the malicious macOS update signed in late January. However, it is unclear whether the update was distributed prior to February 14th. ESET telemetry shows the existence of the macOS second-stage payload as early as February, but the company did not have the sample itself nor metadata to inform them of its maliciousness.
A mysterious Linux downloader was submitted to VirusTotal several days before the 3CX attack was publicly revealed. It was discovered that the downloader downloads a new Lazarus malicious payload for Linux and provided compelling evidence of the connection between Lazarus and the 3CX supply-chain attack. The attackers used GitHub for obfuscation, using it as a dead drop resolver.
Lazarus has been linked to Operation DreamJob since ClearSky coined the term in a paper published in August 2020. The group uses fake LinkedIn profiles with industry leaders’ names to approach targets and offers them jobs but targets them through social engineering techniques, which involves spearphishing or direct messages on LinkedIn. A native Linux payload was found on VirusTotal, and this news comes a few weeks after Lazarus was seen targeting macOS.
The news of Lazarus being behind the 3CX supply-chain attack confirms the severity of the incident, as the VoIP software developer has over 600,000 customers and 12,000,000 users in various sectors, including aerospace, healthcare, and hospitality. As Lazarus is a major North Korea-aligned threat actor, its continued activities could cause significant disruption and destruction. It is essential to detect such attacks early and take appropriate defensive measures to mitigate their potential damage.