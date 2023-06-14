Cybersecurity experts have warned that hackers are using malware disguised as fake job offers to target potential victims.

Researchers from ESET have found that Lazarus, a North Korean state-sponsored hacking group, is targeting Linux users by sending them phishing emails that appear to be job offers from software or DeFi platform companies.

The messages, sent through LinkedIn or other social media platforms, are actually attempts to trick victims into downloading malware.

Lazarus attack

Thought to be affiliated with the North Korean government, Lazarus has become notorious in recent years for a number of cybercrime campaigns targeting users around the world.

This includes Operation DreamJob, its recent campaign that was launched as a result of the recent supply-chain attack on VoIP provider 3CX, which experts are now almost certain was carried out by Lazarus.

In its report on the campaign, ESET outlined how victims were targeted on social media, and asked to download documents claiming to contain details about a new offered position.

In its example, ESET found a ZIP archive named “HSBC job offer.pdf.zip” that contains a file that looks at first glance like a PDF, but in fact uses a Unicode character in its name as a disguise.

“The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as an executable instead of a PDF,” ESET added. “This could cause the file to run when double-clicked instead of opening it with a PDF viewer.”

If clicked, the malware, named as OdicLoader, shows a fake PDF whilst downloading a payload in the background, which following further examination by ESET, looks to target Linux VMware virtual machines.