Featured Image: Lazarus Group “Operation Dream Job”: Lessons in Attack Infrastructure

Hyas Blog | Lazarus Group “Operation Dream Job”: Lessons in Attack Infrastructure

The Lazarus Group (aka Hidden Cobra, Labyrinth Chollima, Zinc, Guardians of Peace) is a threat actor group that has been attributed to the Democratic People’s Republic of Korea (DPRK). Lazarus Group’s targeting closely aligns with North Korean economic and geopolitical interests, which are primarily motivated by financial gain as a method of circumventing international sanctions. In recent years, however, Lazarus Group has further expanded its operations to target the defense and aerospace industries.

Lazarus Group operations are characterized by their use of custom and commodity malware for financial, espionage, and disruptive purposes. HYAS has previously observed Lazarus Group campaign infrastructure being used against targets in the US, Israel and other countries as part of our ongoing work to provide additional telemetry and where possible, advanced warning to our clients. 

Operation Dream Job

The Lazarus Group’s most recent campaign known as “Operation Dream Job” targeted employees in the defense and aerospace industries with an offer of their “dream job” at a prestigious company such as Boeing, LockHeed Martin, and BAE. [1] The network infrastructure used in Operation Dream Job consisted of multiple legitimate domains that had been compromised by Lazarus Group. These compromised, legitimate domains facilitated Lazarus Group’s malicious activities by acting as Command and Control (C2) servers to host malware in the form of malicious DOTM files. [1]

Network infrastructure

HYAS Intelligence Services analysts were able to uncover additional domains attributable to the same registrant behind the Command and Control (C2) domain tronslogshipping[.]com. [2]

Using HYAS Insight, analysts can take a known C2 domain and pivot off it to uncover additional related domains, registration details and observables. In this case, when pivoting off the Lazarus C2 domain tronslog[.]com/public/appstore.php in HYAS Insight, five additional domains attributable to the same registrant were identified. While these domains have yet to be confirmed to be malicious, it is worthwhile for security practitioners to monitor them for potential, future malicious activity, given their association.

  • tronsddf[.]com
  • tronslog[.]com
  • tronslogprojects[.]com
  • lmvdrivers[.]com
  • headsworldwide[.]in

Summary

Starting with  a single piece of incident data, we were able to discover additional domains and observables in an adversary’s campaign infrastructure using HYAS Insight. This approach provides security practitioners with future visibility into potentially malicious domains that have not yet been added into IOC watch lists, and allows companies to better protect themselves with enhanced situational awareness.

References

  • ClearSky Research Team, “Operation ‘Dream Job’ Widespread North Korean Espionage Campaign,” ClearSky Security, August 13 2020 [Online]. Available:  https://www.clearskysec.com/operation-dream-job/. [Accessed 9 February 2021].

  • Shusei, Tomonaga, “Operation Dream Job by Lazarus,” JPCERT Coordination Center official Blog, 26 January 2021 [Online]. Available: https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html/. [Accessed 9 February 2021].