This ongoing cyber campaign targeted defense and governmental organizations globally, employing a social engineering tactic with enticing “dream job” offers sent on behalf of major U.S. aerospace companies. The attackers, known for both espionage and financial theft, successfully infiltrated numerous companies through a sophisticated campaign involving reconnaissance, fictitious LinkedIn profiles, personalized emails, and direct communication via phone and WhatsApp.
Lazarus Group Deconstructed
The Lazarus group, notorious for the Sony breach and WannaCry attack, is assessed to operate globally with a focus on financial cyber heists, exhibiting a shift towards cryptocurrency exchanges.
Operation Dream Job unfolded as a cyberattack spanning from early 2020 to mid-2022, targeting professionals globally, particularly in the defense sector and government organizations. The adversaries employed sophisticated social engineering techniques, offering deceptive job opportunities purportedly from renowned defense and aerospace companies like Boeing, Lockheed Martin, Airbus, and BAE. This tactic mirrors the observed activity reported by ClearSky in August 2020.
A distinctive feature of Lazarus is its dual mission involving both theft and espionage, a strategy uncommon among other state actors that typically prioritize espionage alone. The group has significantly enhanced its operational toolset by establishing a sensitive social engineering attack infrastructure, relying on fictitious profiles created through extensive reconnaissance efforts. The improvement in English skills among group representatives allows direct communication with victims via WhatsApp or phone calls. The possibility of Lazarus sharing data with other states, such as Iran, raises concerns about the collaborative targeting of defense companies.
Tactics and Attack Stages
The “Dream Job” campaign showcased a sophisticated arsenal of tools and social engineering tactics designed to infiltrate targets and establish a persistent presence within infected organizations. The attack’s progression involves the initial downloading and saving of a malicious Office document, ensuring persistence through the Startup folder and utilizing a dropped LNK shortcut file. Subsequently, the DBLL Loader is downloaded and stored on the system, executed via RunDLL32, and serves as the means to deploy the final payload known as DRATzarus.
Additionally, a redundant LNK file was employed to reinstall malware on the target, ensuring a lasting “foothold.” The attack methods involved the use of malicious macros embedded in Doc and Dotm files, as well as a Docx file employing template injection to download and activate malicious files from a compromised C2 server. In the concluding stage of the attack graph, communication between the malware and the adversary infrastructure is reestablished. This phase encompasses the exploration of local network connections and the extraction of browser credentials using LaZagne, providing the attackers with unauthorized access and compromising the targeted systems.
In instances where the group encountered challenges in operating its proprietary tools, they resorted to publicly available open-source tools during the fifth stage of the attack. These tools served purposes such as harvesting high-privilege credentials and maintaining persistence on the target. The group’s adaptability, utilizing a combination of self-developed, modified, and open-source tools, showcased a nuanced and strategic approach to achieving their objectives in the “Dream Job” campaign.
AttackIQ Flex Has You Covered!
Ever wondered how resilient your organization’s cyber defenses would be against a sophisticated adversary like Lazarus Group and their intricate “Dream Job” campaign? What if there was a way to test and fortify your security measures against the dual mission of theft and espionage, intricate social engineering tactics, and targeted attacks through platforms like LinkedIn? Great news… There is! Attack Flex – a cutting-edge testing platform that revolutionizes the validation of security controls without the need for expensive and time-consuming manual testing. With a flexible pay-as-you-go consumption model, AttackIQ Flex allows you to test your defenses precisely as needed, ensuring that your organization can evaluate and enhance cybersecurity resilience across different elements of your business. Now, you can proactively challenge and strengthen your defenses against advanced adversaries like Lazarus Group, all while optimizing costs and resource utilization.
Scenarios included in this AttackIQ Flex package:
- Download 2020-08 Operation Dream Job DRATzarus to Memory
- Lazarus Group’s DRATzarus Initial C2 Request using HTTP POST
- Download 2020-08 Operation Dream Job DBLL Dropper to Memory
- Execute DLL Through RunDLL32
- Save 2020-08 Operation Dream Job DRATzarus to File System
- Persistence Through Startup Folder
- Save 2020-04 Lazarus Group Operation Dream Job Malicious Office Document to File System
- Dump Browser Passwords using LaZagne
- Download 2020-04 Lazarus Group Operation Dream Job Malicious Office Document to Memory
- System Network Connections Discovery
- Save 2020-08 Operation Dream Job DBLL Dropper to File System
Ready to start testing for free with AttackIQ Flex? Create your account now!