Lazarus, the North Korea-linked APT group, is targeting organizations operating in the chemical sector in South Korea. The campaign seems to be a continuation of Operation Dream Job spotted in August 2020.
The attacks on South Korea
In January, Symantec spotted attacks on networks of various organizations from South Korea. The targeted organizations were mainly in the chemical sector, while some belonged to the IT sector as well.
- The gang is targeting IT organizations to gain access to chemical sector organizations, suspect researchers.
- In 2020 and 2021, the Dream Job campaigns targeted defense, government, and engineering organizations. However, the recent focus on chemical companies started in January 2022.
Attack tactics
- The attackers used phony job offers to fool job seekers into clicking on links or opening malicious attachments, which enabled the cybercriminals to install spyware on the victims' computers.
- In some cases, the attackers were dumping credentials from the registry, installing a BAT file to gain persistence, and using a scheduled task configured to run as a certain user.
Attack tools and methods
The attacks typically begin with a victim receiving a malicious HTML file.
- The attackers move laterally using WMI and inject into MagicLine by DreamSecurity on other systems.
- Further, they used shellcode loaders that downloaded and executed arbitrary commands. To execute additional malware, the Tukaani project LZMA Utils library (XZ Utils) tool was used.
- Additionally, they used various tools such as SiteShoter, IP Logger, FastCopy, Wake-On-LAN, and FTP.
Conclusion
Operation Dream Job campaign has been ongoing for almost two years, and its recent activities indicate that the tactics used by the group are still effective for cyberattacks. Moreover, the reason behind targeting organizations in the chemical sector seems to be obtaining intellectual property. Therefore, associated organizations are suggested to stay vigilant and have adequate security in place.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/ee11_shutterstock_1737482258.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock-465479341.jpg)
