Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack

2023-04-20 • ESET •

https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/

#DreamJob #YARA #3CXDesktopApp #SmoothOperator #T1090 #T1140 #T1585.003 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1083 #T1204.002 #T1566.002 #T1132.001 #T1573.001 #T1497.003 #T1593.001 #T1584.001 #T1134.002 #T1027.009 #T1562.003 #T1546.004

ESET links a Lazarus Operation DreamJob campaign against Linux users to broader evidence connecting the group with the 3CX supply-chain compromise. The Linux intrusion chain used a ZIP archive containing a fake HSBC job offer lure, where a deceptive Unicode filename made a native Go ELF appear like a PDF while executing OdicLoader. OdicLoader opened a decoy PDF, downloaded the SimplexTea Linux backdoor from OpenDrive, stored it under ~/.config/guiconfigd, and modified ~/.bash_profile for persistence. The finding matters because it shows Lazarus extending DreamJob tooling to Linux while targeting all major desktop platforms and provides additional technical support for the suspected Lazarus role in the 3CX incident.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	cc307cfb401d1ae616445e78b610ab7…	2023-04-20	2025-12-17
IPv4	23.254.211.230	2023-04-20	2025-12-17
IPv4	172.93.201.88	2023-04-20	2025-11-09
HASH	492a643bd1efdaca4ca125ade1b606e…	2023-04-20	2024-12-27
HASH	3a63477a078ce10e53dfb5639e35d74…	2023-04-20	2023-05-09
HASH	9d8bade2030c93d0a010aa57b90915e…	2023-04-20	2023-05-09
HASH	3cf7232e5185109321921046d039cf10	2023-04-20	2023-05-09
HASH	aac5a52b939f3fe792726a13ff7a1747	2023-04-20	2023-05-09
HASH	0ca1723afe261cd85b05c9ef424fc50…	2023-04-20	2023-05-09
HASH	f638e5a20114019ad066dd0e856f97f…	2023-04-20	2023-05-09
HASH	f6760fb1f8b019af2304ea6410001b6…	2023-04-20	2023-05-09
HASH	fc41cb8425b6432af8403959bb59430d	2023-04-20	2023-05-09
IPv4	38.108.185.79	2023-04-20	2023-05-09
IPv4	38.108.185.115	2023-04-20	2023-05-09
DOMAIN	journalide.org	2023-03-29	2023-05-09
HASH	2acc6f1d4656978f4d503929b8c8045…	2023-04-20	2023-05-02
HASH	d288766fa268bc2534f85fd06a5d522…	2023-04-20	2023-05-02
HASH	7491bd61ed15298ce5ee5ffd01c8c82…	2023-04-20	2023-05-02
HASH	58b0516d28bd7218b1908fb266b8fe7…	2023-04-20	2023-05-02
HASH	eebb01932de0b5605dd460cc82844d8…	2023-04-20	2023-05-02
HASH	cedb9cdbad254f60cfb215b9bff84fb9	2023-04-20	2023-05-02
HASH	1c66e67a8531e3ff1c64ae57e6edfde…	2023-04-20	2023-05-02
HASH	dcef83d8ee080b54dc54759c59f955e…	2023-04-20	2023-05-02
HASH	3b88cda62cdd918b62ef5aa8c5a73a4…	2023-03-30	2023-05-02
HASH	cad1120d91b812acafef7175f949dd1…	2023-03-29	2023-05-02
HASH	5b03294b72c0caa5fb20e7817002c60…	2022-12-01	2023-05-02
HASH	65122e5129fc74d6b5ebafcc3376aba…	2017-12-21	2023-05-02
URL	https://journalide.org/djour.php	2023-04-20	2023-04-24
YARA	RichHeaders_Lazarus_NukeSped_Ic…	2023-04-20	2023-04-20
URL	https://od.lk/d/NTJfMzg4MDE1NzJ…	2023-04-20	2023-04-20

Related Reports

2023-05-09 • 76% Match

Lazarus Operation DreamJob – Ataque a la cadena de suministro de 3CX

Ecu CERT

#DreamJob #SmoothOperator #T1090 #T1140 #T1585.003 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1083 #T1204.002 #T1566.002 #T1132.001 #T1573.001 #T1497.003 #T1593.001 #T1584.001 #T1134.002 #T1027.009 #T1562.003 #T1546.004

Shares tags: DreamJob, SmoothOperator, T1090 • Shares 15 IOCs • Published within a month

2023-05-02 • 52% Match

Lazarus and the 3CX Double Software Supply Chain Attack

Avertium

#SupplyChain #3CXDesktopApp #SmoothOperator

Shares tags: 3CXDesktopApp, SmoothOperator • Shares 22 IOCs • Published within a month

2023-04-20 • 31% Match

3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible

Mandiant

#YARA #SupplyChain #3CXDesktopApp #SmoothOperator #UNC4736 #X_Trader #UNC4469 #UNC3782 #T1082 #T1140 #T1070.004 #T1071.001 #T1195.002 #T1112 #T1083 #T1497 #T1036 #T1027 #T1071 #T1195 #T1497.001 #T1105 #T1055 #T1620 #T1574.002 #T1622 #T1190 #T1588 #T1574 #T1573.002 #T1614 #T1573 #T1608 #T1070 #T1614.001 #T1071.004 #T1012 #T1588.004 #T1565.001 #T1036.001 #T1070.001 #T1608.003 #T1565

Shares tags: YARA, 3CXDesktopApp, SmoothOperator • Published within a week

2023-04-28 • 26% Match

EDR을 활용한 3CX 공급망 침해 사고 추적

Ahnlab

#SupplyChain #3CXDesktopApp #SmoothOperator #T1071.001 #T1574.002 #T1012

Shares tags: 3CXDesktopApp, SmoothOperator, T1071.001 • Shares 1 IOC • Published within a month

2023-04-26 • 26% Match

Emulating Kimsuky's Espionage Operations

Attack IQ

#Kimsuky #T1082 #T1140 #T1041 #T1071.001 #T1115 #T1083 #T1056.001 #T1057 #T1518.001 #T1547.001 #T1053.005 #T1105 #T1087 #T1016 #T1074.001 #T1218.011 #T1218.010 #T1047 #T1033 #T1048.002

Shares tags: T1140, T1041, T1071.001 • Published within a week

2023-04-11 • 26% Match

Security Update Mandiant Initial Results

3CX

#YARA #SupplyChain #3CXDesktopApp #SmoothOperator #UNC4736 #TAXHAUL

Shares tags: YARA, 3CXDesktopApp, SmoothOperator • Shares 1 IOC • Published within a month

« Back