C0022 Operation Dream Job
Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.4325
| Item | Value |
|---|---|
| ID | C0022 |
| Associated Names | Operation North Star, Operation Interception |
| First Seen | September 2019 |
| Last Seen | August 2020 |
| Version | 1.0 |
| Created | 17 March 2023 |
| Last Modified | 10 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Campaign Descriptions
| Name | Description |
|---|---|
| Operation North Star | 31 |
| Operation Interception | 2 |
Groups
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 4312 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.002 | Domain Account | During Operation Dream Job, Lazarus Group queried compromised victim’s active directory servers to obtain the list of employees including administrator accounts.2 |
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | During Operation Dream Job, Lazarus Group registered a domain name identical to that of a compromised company as part of their BEC effort.2 |
| enterprise | T1583.004 | Server | During Operation Dream Job, Lazarus Group acquired servers to host their malicious tools.2 |
| enterprise | T1583.006 | Web Services | During Operation Dream Job, Lazarus Group used file hosting services like DropBox and OneDrive.4 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | During Operation Dream Job, Lazarus Group uses HTTP and HTTPS to contact actor-controlled C2 servers.3 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | During Operation Dream Job, Lazarus Group archived victim’s data into a RAR file.2 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | During Operation Dream Job, Lazarus Group placed LNK files into the victims’ startup folder for persistence.3 |
| enterprise | T1110 | Brute Force | During Operation Dream Job, Lazarus Group performed brute force attacks against administrator accounts.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | During Operation Dream Job, Lazarus Group used PowerShell commands to explore the environment of compromised victims.2 |
| enterprise | T1059.003 | Windows Command Shell | During Operation Dream Job, Lazarus Group launched malicious DLL files, created new folders, and renamed folders with the use of the Windows command shell.23 |
| enterprise | T1059.005 | Visual Basic | During Operation Dream Job, Lazarus Group executed a VBA written malicious macro after victims download malicious DOTM files; Lazarus Group also used Visual Basic macro code to extract a double Base64 encoded DLL implant.43 |
| enterprise | T1584 | Compromise Infrastructure | - |
| enterprise | T1584.001 | Domains | For Operation Dream Job, Lazarus Group compromised domains in Italy and other countries for their C2 infrastructure.31 |
| enterprise | T1584.004 | Server | For Operation Dream Job, Lazarus Group compromised servers to host their malicious tools.423 |
| enterprise | T1005 | Data from Local System | During Operation Dream Job, Lazarus Group used malicious Trojans and DLL files to exfiltrate data from an infected host.43 |
| enterprise | T1622 | Debugger Evasion | During Operation Dream Job, Lazarus Group used tools that used the IsDebuggerPresent call to detect debuggers.4 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.001 | Malware | For Operation Dream Job, Lazarus Group developed custom tools such as Sumarta, DBLL Dropper, Torisma, and DRATzarus for their operations.4231 |
| enterprise | T1587.002 | Code Signing Certificates | During Operation Dream Job, Lazarus Group digitally signed their malware and the dbxcli utility.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | During Operation Dream Job, Lazarus Group used an AES key to communicate with their C2 server.3 |
| enterprise | T1585 | Establish Accounts | - |
| enterprise | T1585.001 | Social Media Accounts | For Operation Dream Job, Lazarus Group created fake LinkedIn accounts for their targeting efforts.42 |
| enterprise | T1585.002 | Email Accounts | During Operation Dream Job, Lazarus Group created fake email accounts to correspond with fake LinkedIn personas; Lazarus Group also established email accounts to match those of the victim as part of their BEC attempt.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | During Operation Dream Job, Lazarus Group exfiltrated data from a compromised host to actor-controlled C2 servers.4 |
| enterprise | T1567 | Exfiltration Over Web Service | - |
| enterprise | T1567.002 | Exfiltration to Cloud Storage | During Operation Dream Job, Lazarus Group used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.24 |
| enterprise | T1083 | File and Directory Discovery | During Operation Dream Job, Lazarus Group conducted word searches within documents on a compromised host in search of security and financial matters.4 |
| enterprise | T1589 | Gather Victim Identity Information | For Operation Dream Job, Lazarus Group conducted extensive reconnaissance research on potential targets.4 |
| enterprise | T1591 | Gather Victim Org Information | For Operation Dream Job, Lazarus Group gathered victim organization information to identify specific targets.4 |
| enterprise | T1591.004 | Identify Roles | During Operation Dream Job, Lazarus Group targeted specific individuals within an organization with tailored job vacancy announcements.42 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | During Operation Dream Job, Lazarus Group removed all previously delivered files from a compromised computer.2 |
| enterprise | T1105 | Ingress Tool Transfer | During Operation Dream Job, Lazarus Group downloaded multistage malware and tools onto a compromised host.423 |
| enterprise | T1534 | Internal Spearphishing | During Operation Dream Job, Lazarus Group conducted internal spearphishing from within a compromised organization.4 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.008 | Masquerade File Type | During Operation Dream Job, Lazarus Group disguised malicious template files as JPEG files to avoid detection.32 |
| enterprise | T1106 | Native API | During Operation Dream Job, Lazarus Group used Windows API ObtainUserAgentString to obtain the victim’s User-Agent and used the value to connect to their C2 server.3 |
| enterprise | T1027 | Obfuscated Files or Information | During Operation Dream Job, Lazarus Group encrypted malware such as DRATzarus with XOR and DLL files with base64.4231 |
| enterprise | T1027.002 | Software Packing | During Operation Dream Job, Lazarus Group packed malicious .db files with Themida to evade detection.431 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | For Operation Dream Job, Lazarus Group obtained tools such as Wake-On-Lan, Responder, ChromePass, and dbxcli.42 |
| enterprise | T1588.003 | Code Signing Certificates | During Operation Dream Job, Lazarus Group used code signing certificates issued by Sectigo RSA for some of its malware and tools.2 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | During Operation Dream Job, Lazarus Group sent emails with malicious attachments to gain unauthorized access to targets’ computers.43 |
| enterprise | T1566.002 | Spearphishing Link | During Operation Dream Job, Lazarus Group sent malicious OneDrive links with fictitious job offer advertisements via email.42 |
| enterprise | T1566.003 | Spearphishing via Service | During Operation Dream Job, Lazarus Group sent victims spearphishing messages via LinkedIn concerning fictitious jobs.42 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | During Operation Dream Job, Lazarus Group created scheduled tasks to set a periodic execution of a remote XSL script.2 |
| enterprise | T1593 | Search Open Websites/Domains | - |
| enterprise | T1593.001 | Social Media | For Operation Dream Job, Lazarus Group used LinkedIn to identify and target employees within a chosen organization.2 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.004 | IIS Components | During Operation Dream Job, Lazarus Group targeted Windows servers running Internet Information Systems (IIS) to install C2 components.3 |
| enterprise | T1608 | Stage Capabilities | - |
| enterprise | T1608.001 | Upload Malware | For Operation Dream Job, Lazarus Group used compromised servers to host malware.4231 |
| enterprise | T1608.002 | Upload Tool | For Operation Dream Job, Lazarus Group used multiple servers to host malicious tools.2 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | During Operation Dream Job, Lazarus Group digitally signed their own malware to evade detection.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.010 | Regsvr32 | During Operation Dream Job, Lazarus Group used regsvr32 to execute malware.2 |
| enterprise | T1218.011 | Rundll32 | During Operation Dream Job, Lazarus Group executed malware with C:\\windows\system32\rundll32.exe "C:\ProgramData\ThumbNail\thumbnail.db", CtrlPanel S-6-81-3811-75432205-060098-6872 0 0 905.423 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | During Operation Dream Job, Lazarus Group deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.4 |
| enterprise | T1221 | Template Injection | During Operation Dream Job, Lazarus Group used DOCX files to retrieve a malicious document template/DOTM file.43 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | During Operation Dream Job, Lazarus Group lured users into executing a malicious link to disclose private account information or provide initial access.42 |
| enterprise | T1204.002 | Malicious File | During Operation Dream Job, Lazarus Group lured victims into executing malicious documents that contained “dream job” descriptions from defense, aerospace, and other sectors.43 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | During Operation Dream Job, Lazarus Group used tools that conducted a variety of system checks to detect sandboxes or VMware services.4 |
| enterprise | T1497.003 | Time Based Evasion | During Operation Dream Job, Lazarus Group used tools that collected GetTickCount and GetSystemTimeAsFileTime data to detect sandbox or VMware services.4 |
| enterprise | T1047 | Windows Management Instrumentation | During Operation Dream Job, Lazarus Group used WMIC to executed a remote XSL script.2 |
| enterprise | T1220 | XSL Script Processing | During Operation Dream Job, Lazarus Group used a remote XSL script to download a Base64-encoded DLL custom downloader.2 |
Software
| ID | Name | Description |
|---|---|---|
| S0694 | DRATzarus | During Operation Dream Job, Lazarus Group used DRATzarus to deploy open source software and partly commodity software such as Responder, Wake-On-Lan, and ChromePass to target infected hosts.4 |
References
-
Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. ↩↩↩↩↩↩↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Lakshmanan, R. (2022, August 17). North Korea Hackers Spotted Targeting Job Seekers with macOS Malware. Retrieved April 10, 2023. ↩