40_C0022.txt

During Operation Dream Job, Lazarus Group queried compromised victim's active directory servers to obtain the list of employees including administrator accounts.During Operation Dream Job, Lazarus Group registered a domain name identical to that of a compromised company as part of their BEC effort.During Operation Dream Job, Lazarus Group acquired servers to host their malicious tools.During Operation Dream Job, Lazarus Group used file hosting services like DropBox and OneDrive.During Operation Dream Job, Lazarus Group uses HTTP and HTTPS to contact actor-controlled C2 servers.During Operation Dream Job, Lazarus Group archived victim's data into a RAR file.During Operation Dream Job, Lazarus Group placed LNK files into the victims' startup folder for persistence.During Operation Dream Job, Lazarus Group performed brute force attacks against administrator accounts.During Operation Dream Job, Lazarus Group used PowerShell commands to explore the environment of compromised victims.During Operation Dream Job, Lazarus Group launched malicious DLL files, created new folders, and renamed folders with the use of the Windows command shell.[3]During Operation Dream Job, Lazarus Group executed a VBA written malicious macro after victims download malicious DOTM files; Lazarus Group also used Visual Basic macro code to extract a double Base64 encoded DLL implant.[1]For Operation Dream Job, Lazarus Group compromised domains in Italy and other countries for their C2 infrastructure.[2]For Operation Dream Job, Lazarus Group compromised servers to host their malicious tools.[1][3]During Operation Dream Job, Lazarus Group used malicious Trojans and DLL files to exfiltrate data from an infected host.[1]During Operation Dream Job, Lazarus Group used tools that used the IsDebuggerPresent call to detect debuggers.For Operation Dream Job, Lazarus Group developed custom tools such as Sumarta, DBLL Dropper, Torisma, and DRATzarus for their operations.[1][3][2]During Operation Dream Job, Lazarus Group digitally signed their malware and the dbxcli utility.During Operation Dream Job, Lazarus Group used an AES key to communicate with their C2 server.For Operation Dream Job, Lazarus Group created fake LinkedIn accounts for their targeting efforts.[1]During Operation Dream Job, Lazarus Group created fake email accounts to correspond with fake LinkedIn personas; Lazarus Group also established email accounts to match those of the victim as part of their BEC attempt.During Operation Dream Job, Lazarus Group exfiltrated data from a compromised host to actor-controlled C2 servers.During Operation Dream Job, Lazarus Group used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.[3]During Operation Dream Job, Lazarus Group conducted word searches within documents on a compromised host in search of security and financial matters.For Operation Dream Job, Lazarus Group conducted extensive reconnaissance research on potential targets.For Operation Dream Job, Lazarus Group gathered victim organization information to identify specific targets.During Operation Dream Job, Lazarus Group targeted specific individuals within an organization with tailored job vacancy announcements.[1]During Operation Dream Job, Lazarus Group impersonated HR hiring personnel through LinkedIn messages and conducted interviews with victims in order to deceive them into downloading malware.[1][3]During Operation Dream Job, Lazarus Group removed all previously delivered files from a compromised computer.During Operation Dream Job, Lazarus Group downloaded multistage malware and tools onto a compromised host.[1][3]During Operation Dream Job, Lazarus Group conducted internal spearphishing from within a compromised organization.During Operation Dream Job, Lazarus Group disguised malicious template files as JPEG files to avoid detection.[2]During Operation Dream Job, Lazarus Group used Windows API ObtainUserAgentString to obtain the victim's User-Agent and used the value to connect to their C2 server.During Operation Dream Job, Lazarus Group packed malicious .db files with Themida to evade detection.[1][2]During Operation Dream Job, Lazarus Group encrypted malware such as DRATzarus with XOR and DLL files with base64.[1][3][2]For Operation Dream Job, Lazarus Group obtained tools such as Wake-On-Lan, Responder, ChromePass, and dbxcli.[1]During Operation Dream Job, Lazarus Group used code signing certificates issued by Sectigo RSA for some of its malware and tools.During Operation Dream Job, Lazarus Group sent emails with malicious attachments to gain unauthorized access to targets' computers.[1]During Operation Dream Job, Lazarus Group sent malicious OneDrive links with fictitious job offer advertisements via email.[1]During Operation Dream Job, Lazarus Group sent victims spearphishing messages via LinkedIn concerning fictitious jobs.[1]During Operation Dream Job, Lazarus Group created scheduled tasks to set a periodic execution of a remote XSL script.For Operation Dream Job, Lazarus Group used LinkedIn to identify and target employees within a chosen organization.During Operation Dream Job, Lazarus Group targeted Windows servers running Internet Information Systems (IIS) to install C2 components.For Operation Dream Job, Lazarus Group used compromised servers to host malware.[1][3][2]For Operation Dream Job, Lazarus Group used multiple servers to host malicious tools.During Operation Dream Job, Lazarus Group digitally signed their own malware to evade detection.During Operation Dream Job, Lazarus Group used regsvr32 to execute malware.During Operation Dream Job, Lazarus Group executed malware with C:\\windows\system32\rundll32.exe "C:\ProgramData\ThumbNail\thumbnail.db", CtrlPanel S-6-81-3811-75432205-060098-6872 0 0 905.[1][3]During Operation Dream Job, Lazarus Group deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.During Operation Dream Job, Lazarus Group used DOCX files to retrieve a malicious document template/DOTM file.[1]During Operation Dream Job, Lazarus Group lured users into executing a malicious link to disclose private account information or provide initial access.[1]During Operation Dream Job, Lazarus Group lured victims into executing malicious documents that contained "dream job" descriptions from defense, aerospace, and other sectors.[1]During Operation Dream Job, Lazarus Group used tools that conducted a variety of system checks to detect sandboxes or VMware services.During Operation Dream Job, Lazarus Group used tools that collected GetTickCount and GetSystemTimeAsFileTime data to detect sandbox or VMware services.During Operation Dream Job, Lazarus Group used WMIC to executed a remote XSL script.During Operation Dream Job, Lazarus Group used a remote XSL script to download a Base64-encoded DLL custom downloader.