Disclosures:
Professional Reviews

The reviews found on WizCase consist of evaluations conducted by community reviewers. These assessments take into account the reviewers' unbiased and knowledgeable analysis of the products and services being reviewed.

Ownership

WizCase is a leading cybersecurity review website with a team of experts experienced in testing and evaluating VPNs, antiviruses, password managers, parental controls, and software tools. Our reviews are available in 29 languages, making them accessible to a broad audience since 2018. To further support our readers in their pursuit of online security, we've partnered with Kape Technologies PLC, which owns popular products like ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, all of which may be reviewed on our website.

Affiliate Commissions

Wizcase contains reviews that follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will take into consideration the independent, honest, and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, at no additional cost to them. On listicle pages, we rank vendors based on a system that prioritizes the reviewer’s examination of each service, but also considers feedback received from our readers and our commercial agreements with providers.

Review Guidelines

The reviews published on WizCase are written by community reviewers that examine the products according to our strict reviewing standards. Such standards ensure that each review prioritizes the independent, professional, and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website.

News Heading

Lazarus Group Incorporates Linux Malware Into Attack Arsenal for Operation Dream Job

Ari Denial
Published by Ari Denial on April 22, 2023

According to a recent report by ESET, the infamous Lazarus Group, a state-sponsored actor with links to North Korea, has been identified as the culprit behind a fresh campaign targeting Linux users.

This activity is part of a prolonged and ongoing operation called Operation Dream Job, which has now been linked to the group. The discovery is significant as it represents the first instance in which the Lazarus Group has publicly utilized Linux malware as part of this social engineering campaign. The revelation is critical for security professionals, as it highlights the evolving tactics of this notorious threat actor.

Mandiant’s investigation into the 3CX breach, previously attributed to North Korean-affiliated threat actors, confirms that the breach was due to the installation of trojanized trading software in another supply chain attack.

This incident highlights the persistent threat posed by North Korean actors and emphasizes the need for comprehensive cybersecurity measures to safeguard against such attacks.

Lazarus Group’s ongoing Operation Dream Job targets software and DeFi platform workers with fake job offers on social media platforms such as LinkedIn. These attacks use social engineering tactics to trick victims into downloading malicious files that contain malware, such as the recently discovered OdicLoader and SimplexTea.

The malware is distributed via spearphishing or direct messages on LinkedIn, and is disguised as a PDF using Unicode characters in the file name. When launched, the malware downloads a second-stage payload, a C++ backdoor called SimplexTea, which is dropped at “~/.config/guiconfigd. SimplexTea.”

ESET analysis of the SimplexTea malware revealed similarities in functionality, encryption techniques, and hardcoded infrastructure to Lazarus’ Windows malware called “BadCall” and the macOS variant “SimpleSea.”

Additionally, an earlier variant of SimplexTea, called “sysnetd,” was found on VirusTotal and is written in C. The sysnetd backdoor uses an XOR key previously used by the SimpleSea malware and loads its configuration from a file named /tmp/vgauthsvclog, indicating a possible target of a Linux VMware virtual machine. These findings highlight the adaptability of Lazarus’ tactics, now encompassing all major operating systems.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!
0 Voted by 0 users
Title
Comment
Thanks for your feedback