April 19, 2022

Lazarus Operation Dream Job

Industry: Chemical & Information Technology | Level: Tactical | Source: Symantec

Symantec’s tracking of Lazarus, a North Korean advanced persistent threat (APT) has identified activity targeting chemical and information technology sectors in South Korea with Operation Dream Job observed since January 2022. Although the information technology sector was targeted it’s believed the attacks were intended to pivot to the chemical sector. The Operation Dream Job campaign has been active since August 2020, luring victims with themes in fictitious job postings targeting various sectors. A typical attack chain from the campaign has involved the execution of an HTM file to download a malicious DLL file to inject into a process; Symantec has identified process injection into “legitimate system management software INISAFE Web EX Client.” Additional activities observed included credentials obtained from dumping registry keys, executing a BAT file and creating scheduled tasks for persistence.

  • Anvilogic Scenario: Lazarus – Operation Dream Job – Target Chemical Sector
  • Anvilogic Use Cases:
    • Rundll32 Command Line
    • Create/Modify Schtasks
    • Suspicious File written to Disk
    • Windows FTP Exfiltration
    • Credentials in Registry
    • Executable Create Script Process
    • Rare remote thread
    • Control Panel Abuse