Watch out - that dream job offer could be a malware scam

Linux users targeted with malware by North Korean Lazarus hackers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are targeting potential victims withmalwaredisguised as fake job offers, cybersecurity experts have warned.

Researchers from ESET have found that the Lazarus criminal group is targetingLinuxusers pretending to be emailing victims who work in the software or DeFi platform industries with the promise of a new role.

However the messages, sent either via LinkedIn or other social media platforms are simply a ploy to get the victims to download malware.

Lazarus attack

Thought to be affiliated with the North Korean government, Lazarus has become notorious in recent years for a number of cybercrime campaigns targeting users around the world.

This includes Operation DreamJob, its recent campaign that was launched as a result of the recentsupply-chain attack on VoIP provider 3CX, which experts are now almost certain was carried out by Lazarus.

In itsreporton the campaign, ESET outlined how victims were targeted on social media, and asked to download documents claiming to contain details about a new offered position.

In its example, ESET found a ZIP archive named “HSBC job offer.pdf.zip” that contains a file that looks at first glance like a PDF, but in fact uses a Unicode character in its name as a disguise.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as an executable instead of a PDF,” ESET added. “This could cause the file to run when double-clicked instead of opening it with a PDF viewer.”

If clicked, the malware, named as OdicLoader, shows a fake PDF whilst downloading a payload in the background, which following further examination by ESET, looks to target Linux VMware virtual machines.

Procter & Gamble is the latest big GoAnywhere zero-day victim>Hatch Bank says 140,000 customers had data stolen after breach>Check out the best endpoint protection solutions right now

The after-effects on the March 2023 attack on 3CX are continuing to shake the technology industry as a whole. Recent reports suggest Lazarus isspecifically targeting cryptocurrency companiesusing a trojanized version of the platform.

3CX has more than 12 million daily users, with products used by more than 600,000 companies worldwide Its customer list includes high-profile companies and organizations like American Express, Coca-Cola, McDonald’s, Air France, IKEA, the UK’s National Health Service, and multiple automakers, including BMW, Honda, Toyota, and Mercedes-Benz.

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK’s leading national newspapers and fellow Future title ITProPortal, and when he’s not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set