Lazarus Group Incorporates Linux Malware Into Attack Arsenal for Operation Dream Job
- Written by Ari Denial Cybersecurity & Tech Writer
This activity is part of a prolonged and ongoing operation called Operation Dream Job, which has now been linked to the group. The discovery is significant as it represents the first instance in which the Lazarus Group has publicly utilized Linux malware as part of this social engineering campaign. The revelation is critical for security professionals, as it highlights the evolving tactics of this notorious threat actor.
This incident highlights the persistent threat posed by North Korean actors and emphasizes the need for comprehensive cybersecurity measures to safeguard against such attacks.
Lazarus Group’s ongoing Operation Dream Job targets software and DeFi platform workers with fake job offers on social media platforms such as LinkedIn. These attacks use social engineering tactics to trick victims into downloading malicious files that contain malware, such as the recently discovered OdicLoader and SimplexTea.
The malware is distributed via spearphishing or direct messages on LinkedIn, and is disguised as a PDF using Unicode characters in the file name. When launched, the malware downloads a second-stage payload, a C++ backdoor called SimplexTea, which is dropped at “~/.config/guiconfigd. SimplexTea.”
ESET analysis of the SimplexTea malware revealed similarities in functionality, encryption techniques, and hardcoded infrastructure to Lazarus’ Windows malware called “BadCall” and the macOS variant “SimpleSea.”
Additionally, an earlier variant of SimplexTea, called “sysnetd,” was found on VirusTotal and is written in C. The sysnetd backdoor uses an XOR key previously used by the SimpleSea malware and loads its configuration from a file named /tmp/vgauthsvclog, indicating a possible target of a Linux VMware virtual machine. These findings highlight the adaptability of Lazarus’ tactics, now encompassing all major operating systems.
Capita Admits Data Theft in Recent Cyberattack by Hackers
- Written by Ari Denial Cybersecurity & Tech Writer
UK outsourcing company Capita has disclosed that customer data may have been stolen during a cyberattack in March.
The firm, which provides services to the NHS and the UK government, confirmed that its investigation had found indications of “limited data exfiltration”, possibly affecting customers, suppliers or staff. No further information was released on the nature of the data taken or how many people may have been impacted.
Capita has not provided details about the types of data stolen or the number of customers affected. However, reports suggest that the Black Basta ransomware group, which claimed responsibility for the attack, published personal data such as bank account details and passport photos, as well as data belonging to teachers applying for jobs at schools.
The Black Basta ransomware group, believed to have targeted UK outsourcing firm Capita in a cyber attack last month, is also said to have targeted US satellite television provider Dish. Capita initially reported an “IT issue” before later admitting a “cyber incident” had caused disruption.
Although the company said it had no evidence of data theft, limited data exfiltration was later confirmed. The attack also affected some services provided to clients including Barnet Council and O2. As yet, Capita is not featured on Black Basta’s dark web leak site.
UK government services faced minimal disruption during a cyber attack that affected outsourcing company Capita last month, according to Conor Walsh, a spokesperson for the Cabinet Office. The company holds public sector contracts worth £6.5bn ($8bn). Capita, which has said that it has now restored most of the affected client services, revealed that the hackers first infiltrated its internal systems on 22 March. The breach was interrupted on 31 March. The company has also reinstated staff access to Microsoft 365.
Capita has also revealed that around 4% of its server estate may have been affected by a cyber attack that occurred in March. The company added that it is continuing forensic investigations and will notify affected customers, suppliers or staff in a timely manner. The Information Commissioner’s Office confirmed that it is assessing information provided by Capita.
