Linux malware strengthens links between Lazarus and the 3CX supply-chain attack

MITRE Techniques

• [T1593.001] Social Media: Social Media – Lazarus attackers probably approached a target with a fake HSBC-themed job offer that would fit the target’s interest. “The Lazarus group’s Operation DreamJob involves approaching targets through LinkedIn and tempting them with job offers from industry leaders.”
• [T1584.001] Acquire Infrastructure: Domains – Unlike many previous cases of compromised C&C used in Operation DreamJob, Lazarus operators registered their own domain for the Linux target. “Acquire Infrastructure: Domains.”
• [T1587.001] Develop Capabilities: Malware – Custom tools from the attack are very likely developed by the attackers. “Develop Capabilities: Malware.”
• [T1585.003] Establish Accounts: Cloud Accounts – The attackers hosted the final stage on the cloud service OpenDrive. “Establish Accounts: Cloud Accounts.”
• [T1608.001] Stage Capabilities: Upload Malware – The attackers hosted the final stage on the cloud service OpenDrive. “Stage Capabilities: Upload Malware.”
• [T1204.002] User Execution: Malicious File – OdicLoader masquerades as a PDF file in order to fool the target. “User Execution: Malicious File.”
• [T1566.002] Phishing: Spearphishing Link – The target likely received a link to third-party remote storage with a malicious ZIP archive. “Phishing: Spearphishing Link.”
• [T1546.004] Event Triggered Execution: Unix Shell Configuration Modification – OdicLoader modifies the victim’s Bash profile, so SimplexTea is launched each time Bash is started and its output is muted. “Event Triggered Execution: Unix Shell Configuration Modification.”
• [T1134.002] Access Token Manipulation: Create Process with Token – SimplexTea can create a new process, if instructed by its C&C server. “Access Token Manipulation: Create Process with Token.”
• [T1140] Deobfuscate/Decode Files or Information – SimplexTea stores its configuration in an encrypted apdl.cf. “Deobfuscate/Decode Files or Information.”
• [T1027.009] Obfuscated Files or Information: Embedded Payloads – The droppers of all malicious chains contain an embedded data array with an additional stage. “Obfuscated Files or Information: Embedded Payloads.”
• [T1562.003] Impair Defenses: Impair Command History Logging – OdicLoader modifies the victim’s Bash profile, so the output and error messages from SimplexTea are muted. “Impair Defenses: Impair Command History Logging.”
• [T1070.004] Indicator Removal: File Deletion – SimplexTea has the ability to delete files securely. “Indicator Removal: File Deletion.”
• [T1497.003] Virtualization/Sandbox Evasion: Time-Based Evasion – SimplexTea implements multiple custom sleep delays in its execution. “Time Based Evasion.”
• [T1083] Discovery: File and Directory Discovery – SimplexTea can list the directory content together with their names, sizes, and timestamps. “File and Directory Discovery.”
• [T1071.001] Application Layer Protocol: Web Protocols – SimplexTea can use HTTP and HTTPS for communication with its C&C server. “Application Layer Protocol: Web Protocols.”
• [T1573.001] Encrypted Channel: Symmetric Cryptography – SimplexTea encrypts C&C traffic using AES-GCM. “Encrypted Channel: Symmetric Cryptography.”
• [T1132.001] Data Encoding: Base64 – SimplexTea encodes C&C traffic using base64. “Data Encoding: Standard Encoding.”
• [T1090] Proxy – SimplexTea can utilize a proxy for communications. “Proxy.”
• [T1041] Exfiltration: Exfiltration Over C2 Channel – SimplexTea can exfiltrate data as ZIP archives to its C&C server. “Exfiltration Over C2 Channel.”