{"description": "Enterprise techniques used by Operation Dream Job, ATT&CK campaign C0022 (v1.2)", "name": "Operation Dream Job (C0022)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) queried compromised victim's active directory servers to obtain the list of employees including administrator accounts.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) registered a domain name identical to that of a compromised company as part of their BEC effort.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.004", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) acquired servers to host their malicious tools.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.006", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used file hosting services like DropBox and OneDrive.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) uses HTTP and HTTPS to contact actor-controlled C2 servers.(Citation: McAfee Lazarus Jul 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) archived victim's data into a RAR file.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) placed LNK files into the victims' startup folder for persistence.(Citation: McAfee Lazarus Jul 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) performed brute force attacks against administrator accounts.(Citation: ESET Lazarus Jun 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used PowerShell commands to explore the environment of compromised victims.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) launched malicious DLL files, created new folders, and renamed folders with the use of the Windows command shell.(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) executed a VBA written malicious macro after victims download malicious DOTM files; [Lazarus Group](https://attack.mitre.org/groups/G0032) also used Visual Basic macro code to extract a double Base64 encoded DLL implant.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.001", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) compromised domains in Italy and other countries for their C2 infrastructure.(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584.004", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) compromised servers to host their malicious tools.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used malicious Trojans and DLL files to exfiltrate data from an infected host.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1622", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used tools that used the `IsDebuggerPresent` call to detect debuggers.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) developed custom tools such as Sumarta, DBLL Dropper, [Torisma](https://attack.mitre.org/software/S0678), and [DRATzarus](https://attack.mitre.org/software/S0694) for their operations.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1587.002", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) digitally signed their malware and the dbxcli utility.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used an AES key to communicate with their C2 server.(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1585", "showSubtechniques": true}, {"techniqueID": "T1585.001", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) created fake LinkedIn accounts for their targeting efforts.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1585.002", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) created fake email accounts to correspond with fake LinkedIn personas; [Lazarus Group](https://attack.mitre.org/groups/G0032) also established email accounts to match those of the victim as part of their BEC attempt.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) exfiltrated data from a compromised host to actor-controlled C2 servers.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.002", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) conducted word searches within documents on a compromised host in search of security and financial matters.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1589", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) conducted extensive reconnaissance research on potential targets.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1591", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) gathered victim organization information to identify specific targets.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1591.004", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) targeted specific individuals within an organization with tailored job vacancy announcements.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1656", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) impersonated HR hiring personnel through LinkedIn messages and conducted interviews with victims in order to deceive them into downloading malware.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: The Hacker News Lazarus Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) removed all previously delivered files from a compromised computer.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) downloaded multistage malware and tools onto a compromised host.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1534", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) conducted internal spearphishing from within a compromised organization.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) disguised malicious template files as JPEG files to avoid detection.(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used Windows API `ObtainUserAgentString` to obtain the victim's User-Agent and used the value to connect to their C2 server.(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) packed malicious .db files with Themida to evade detection.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) encrypted malware such as  [DRATzarus](https://attack.mitre.org/software/S0694) with XOR and DLL files with base64.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) obtained tools such as Wake-On-Lan, [Responder](https://attack.mitre.org/software/S0174), ChromePass, and dbxcli.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588.003", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used code signing certificates issued by Sectigo RSA for some of its malware and tools.(Citation: ESET Lazarus Jun 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) sent emails with malicious attachments to gain unauthorized access to targets' computers.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) sent malicious OneDrive links with fictitious job offer advertisements via email.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.003", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) sent victims spearphishing messages via LinkedIn concerning fictitious jobs.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) created scheduled tasks to set a periodic execution of a remote XSL script.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1593", "showSubtechniques": true}, {"techniqueID": "T1593.001", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used LinkedIn to identify and target employees within a chosen organization.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.004", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) targeted Windows servers running Internet Information Systems (IIS) to install C2 components.(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.001", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used compromised servers to host malware.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1608.002", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used multiple servers to host malicious tools.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) digitally signed their own malware to evade detection.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used `regsvr32` to execute malware.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) executed malware with `C:\\\\windows\\system32\\rundll32.exe \"C:\\ProgramData\\ThumbNail\\thumbnail.db\"`, `CtrlPanel S-6-81-3811-75432205-060098-6872 0 0 905`.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1221", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used DOCX files to retrieve a malicious document template/DOTM file.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) lured users into executing a malicious link to disclose private account information or provide initial access.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) lured victims into executing malicious documents that contained \"dream job\" descriptions from defense, aerospace, and other sectors.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used tools that conducted a variety of system checks to detect sandboxes or VMware services.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used tools that collected `GetTickCount` and `GetSystemTimeAsFileTime` data to detect sandbox or VMware services.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used WMIC to executed a remote XSL script.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1220", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used a remote XSL script to download a Base64-encoded DLL custom downloader.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Operation Dream Job", "color": "#66b1ff"}]}