Malware, Threat Management

Linux malware from Lazarus Group resembles tools used in 3CX compromise

Researchers at ESET say they have found a new piece of Linux-based malware that expands on existing evidence that the 3CX software supply chain hack was conducted by North Korean actors. (Image Credit: Bill Hinton via Getty Images)

Researchers at ESET say they have found a new piece of Linux-based malware that expands on existing evidence that the 3CX software supply chain hack was conducted by North Korean actors.

In a blog post Thursday, April 20, ESET researchers said they reconstructed the full chain of the Linux attack, from the Zip file that delivers a fake HSBC job offer as a decoy up until the final payload: a SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account.

While the Linux malware is unrelated, ESET researchers also said that the discovery of the malware chain helped them confirm with a “high level of confidence” that the 3CX supply-chain attack disclosed in late March was conducted by Lazarus Group. The moniker is less a distinct outfit and more of an umbrella term for a mix of state-sponsored and criminal hacking groups based in North Korea, many of whom conduct operations on behalf of the Hermit Kingdom.

“The recent discovery of their malicious toolset running on Linux shows Lazarus adapts to their targets and pursue their efforts to compromise their victims via social engineering, said ESET researcher Peter Kálnai, who investigates Lazarus activities.

He also claimed ESET's findings represent another first for North Korean hackers.

“It’s the first time we see Lazarus targeting Linux desktop users,” said Kálnai. “This is worrying given the backdoor has features to list and exfiltrate any files on the compromised system. Although not directly related, we couldn’t ignore the resemblance with malware used in the compromise of 3CX, making claims that the recent incident is Lazarus’s work even more credible. Not only did we find similarity in the code such as file names and encryption keys, but also in network infrastructure used for exfiltration of sensitive data.”

The link to North Korea in the 3CX case was suspected from the outset of the breach disclosure, and was initially reported on March 29 in a Reddit thread by a CrowdStrike engineer, followed by an official report the same day by CrowdStrike. An interim assessment from Mandiant - which was hired by 3CX to investigate the breach - also pointed the finger at "a North Korean nexus" for the attack. Other security companies have contributed their summaries of the events, including SophosCheck PointBroadcom, and Trend Micro, with a number of them also attributing the compromise to a North Korea-aligned group.

According to the 3CX website, the company has more than 600,000 companies as clients, including American Express, BMW, Air France, Toyota, IKEA and others. A Shodan search on March 30 found more than 240,000 3CX-exposed phone management systems, while managed security service provider Huntress reported it has sent out more than 2,783 incident reports where the 3CXDesktopApp.exe binary matches known malicious hashes and had a signed certificate from 3CX on March 13.

In an update to the ongoing 3CX story Thursday, Google-owned Mandiant said it identified the initial intrusion vector: an outdated and corrupted version of X_Trader, a software program used to trade stocks and futures

Expanded tactics via Linux

This Linux-based malware attack shows how threat actors continue to expand their arsenal, targets, tactics, and reach to get around security controls and practices, said John Anthony Smith, chief executive officer at Conversant Group. Smith said the latest Linux attack is the latest example of threat actors expanding their malware variants to affect more systems, such as BlackCat using the Rust language so that their ransomware can infect Linux systems and be more undetectable. 

“It's a new look on the old ‘fake offer’ scenario,” said Smith.

Bud Broomhead, chief executive officer at Viakoo, added that Linux malware in the threat actor arsenal could be a reflection of a shift in focus to include exploiting vulnerable IoT/OT devices, which exist at much higher scale than IT systems and often are not managed with the same focus on cybersecurity as IT devices.

“IoT/OT devices are functionally cyber-physical systems, where there’s a physical element to their operation: adjust valves, open doors, capture video,” explained Broomhead. “In essence, these devices are the eyes, ears, and hands of an organization. Nation-state threat actors in particular look to infect and have a foothold in cyber-physical system infrastructure because of their potential to disrupt and confuse their victims.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.