Skip to content

Dream Job-1

Scenario

You are a junior threat intelligence analyst at a Cybersecurity firm. You have been tasked with investigating a Cyber espionage campaign known as Operation Dream Job. The goal is to gather crucial information about this operation.

The sherlock archive contains a single text file, IOCs.txt.

Tasks

Who conducted Operation Dream Job?

Operation Dream Job is a well-known campaign conducted by the Lazarus Group.

The operation is described in detail on MITRE ATT&CK.

When was this operation first observed?

According to the MITRE ATT&CK information page above, September 2019.

There are 2 campaigns associated with Operation Dream Job. One is Operation North Star, what is the other?

Also listed above: Operation Interception.

During Operation Dream Job, there were the two system binaries used for proxy execution. One was Regsvr32, what was the other?

The binaries are listed under System Binary Proxy Execution in the Techniques Used table. The second binary is Rundll32.

The information can also be found in the ATT&CK Navigator found by clicking on the ATT&CK Navigator Layers → View above the table.

What lateral movement technique did the adversary use?

The easiest way to find the name of the technique is by looking under Lateral Movement techniques in the ATT&CK Navigator:

alt text

The relevant technique is Internal Spearphishing.

What is the technique ID for the previous answer?

Internal Spearphishing is technique T1534.

What Remote Access Trojan did the Lazarus Group use in Operation Dream Job?

The name of the RAT is listed in the Software section on the bottom of the page:

alt text

The RAT is called DRATzarus.

What technique did the malware use for execution?

According to the ATT&CK Navigator view for the DRATzarus malware, the technique used for execution is Native API.

What technique did the malware use to avoid detection in a sandbox?

The information can be found in the ATT&CK Navigator view for DRATzarus: Time Based Evasion

To answer the remaining questions, utilize VirusTotal and refer to the IOCs.txt file. What is the name associated with the first hash provided in the IOC file?

IEXPLORE.EXE

When was the file associated with the second hash in the IOC first created?

2020-05-12 19:26:17 UTC

What is the name of the parent execution file associated with the second hash in the IOC?

The parent execution file is the file that produces the malware when executed. This is listed under Execution Parents in the Relations tab: BAE_HPC_SE.iso.

Examine the third hash provided. What is the file name likely used in the campaign that aligns with the adversary's known tactics?

There is a long list of files dropped by the malware in the Behavior tab. Taking into account the methods used by the adversary for initial access, such as spearphishing, it's likely that the file name is something professional-sounding.

One of the file names in the list stands out as something a victim would likely attempt to open: Salary_Lockheed_Martin_job_opportunities_confidential.doc

Which URL was contacted on 2022-08-03 by the file associated with the third hash in the IOC file?

A list of contacted URLs is provided in the Relations tab.

The URL contancted on 2022-08-03 was https://markettrendingcenter.com/lk_job_oppor.docx.