Watch out - that dream job offer could be a malware scam

News
By Mike Moore
published

Linux users targeted with malware by North Korean Lazarus hackers

malware
(Image credit: Elchinator from Pixabay)

Hackers are targeting potential victims with malware disguised as fake job offers, cybersecurity experts have warned.

Researchers from ESET have found that the Lazarus criminal group is targeting Linux users pretending to be emailing victims who work in the software or DeFi platform industries with the promise of a new role.

However the messages, sent either via LinkedIn or other social media platforms are simply a ploy to get the victims to download malware.

Lazarus attack

Thought to be affiliated with the North Korean government, Lazarus has become notorious in recent years for a number of cybercrime campaigns targeting users around the world.

This includes Operation DreamJob, its recent campaign that was launched as a result of the recent supply-chain attack on VoIP provider 3CX, which experts are now almost certain was carried out by Lazarus.

In its report on the campaign, ESET outlined how victims were targeted on social media, and asked to download documents claiming to contain details about a new offered position. 

In its example, ESET found a ZIP archive named "HSBC job offer.pdf.zip" that contains a file that looks at first glance like a PDF, but in fact uses a Unicode character in its name as a disguise.

"The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as an executable instead of a PDF," ESET added. "This could cause the file to run when double-clicked instead of opening it with a PDF viewer."

If clicked, the malware, named as OdicLoader, shows a fake PDF whilst downloading a payload in the background, which following further examination by ESET, looks to target Linux VMware virtual machines.

Read more

Procter & Gamble is the latest big GoAnywhere zero-day victim

> Hatch Bank says 140,000 customers had data stolen after breach

> Check out the best endpoint protection solutions right now

The after-effects on the March 2023 attack on 3CX are continuing to shake the technology industry as a whole. Recent reports suggest Lazarus is specifically targeting cryptocurrency companies using a trojanized version of the platform. 

3CX has more than 12 million daily users, with products used by more than 600,000 companies worldwide Its customer list includes high-profile companies and organizations like American Express, Coca-Cola, McDonald's, Air France, IKEA, the UK's National Health Service, and multiple automakers, including BMW, Honda, Toyota, and Mercedes-Benz.

Mike Moore
Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.