Cybersecurity experts have warned that hackers are targeting potential victims with malware disguised as fake job offers.
According to ESET researchers, the hackers from Lazarus criminal organisation targets Linux users by posing as an email sender and luring them with the prospect of a new position in the software or DeFi platform industries.
The messages, which are sent via LinkedIn or other social media sites, are only a ruse to persuade the recipients to download malicious software.
Lazarus Attack
Lazarus, a prominent cybercriminal organisation believed to be connected to the North Korean government, has been responsible for several campaigns that have targeted users all over the world.
This includes Operation DreamJob, its recent campaign that was launched as a result of the recent supply-chain attack on VoIP provider 3CX, which experts are now almost certain was carried out by Lazarus.
ESET outlined how victims were targeted on social media and urged them to download papers purporting to contain information on a newly offered position in its report.
In its example, ESET found a ZIP archive named “HSBC job offer.pdf.zip” that contains a file that looks at first glance like a PDF, but in fact, uses a unicode character in its name as a disguise.
“The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as an executable instead of a PDF. This could cause the file to run when double-clicked instead of opening it with a PDF viewer,” ESET added.
When activated, the virus, known as OdicLoader, displays a phoney PDF while downloading a payload in the background. Further investigation by ESET revealed that the payload appears to target Linux VMware virtual machines.
The ramifications of the attack on 3CX are still having an impact on the whole technological sector. According to experts, Lazarus is primarily aiming at cryptocurrency businesses that use the platform which is trojanized.