The Lazarus group, linked to North Korea, is now targeting Linux systems with malware through fake job offers on LinkedIn.

systems with through fake job offers on LinkedIn. The malware, named “OdicLoader,” is disguised as a PDF file that displays a decoy document while downloading a malware payload from the OpenDrive cloud service.

Linux users are advised to keep their systems up to date and to exercise caution when receiving job offers from unknown sources, especially on social media platforms like LinkedIn.

The Lazarus group, a notorious hacking group linked to North Korea, has been spotted using fake job offers to deliver malware specifically targeting Linux systems. Lazarus is known for its attacks impersonating trusted sources, such as colleagues, service providers, and more. The malicious actor group has now targeted Linux, making it a dangerous hacking group for all major operating systems.

Operation: Dream Job

According to the researchers at ESET, the group attacks unsuspecting individuals, possibly via LinkedIn, with spear-phishing attacks, a cyber attack method deployed to acquire sensitive information or access a computer by sending messages that appear to be from trusted sources. ESET further reports that a user submitted a ZIP archive called “HSBCjoboffer.pdf.zip” to the site VirusTotal, which is used to check if the files you uploaded are malicious in any way, and the ZIP archive contained only one file, a native 64-bit Linux binary written in Go and named HSBC job offer.pdf.

The unsuspecting victim in this scenario received the job offer and clicked on the file to open it. When opened, the malware named “OdicLoader” shows a fake PDF document while simultaneously downloading a malware payload from a private repository hosted on the OpenDrive cloud service. The downloaded file is stored in “~/.config/guiconfigd” and as the last step, OdicLoader modifies “~/.bash_profile,” so SimplexTea is launched with Bash, and its output is muted.

The objective of this malware is to deceive the recipient into thinking that the file they downloaded is from a legit source while infecting their system with malware in the background.

ESET found that the SimplexTea malware used in Lazarus’ “Operation DreamJob” is similar to its Windows malware, “BadCall,” and macOS malware, “SimpleSea,” which means that Lazarus has managed to infect all major operating systems.

Keeping your Linux system updated with the latest security patches and updates is a good idea. However, it is also important to exercise caution when receiving job offers from unknown sources, particularly on social media platforms like LinkedIn. Always be wary of unsolicited job offers, and avoid clicking on links or downloading attachments unless you are absolutely sure the sender is trusted.