{"description": "Enterprise techniques used by Lazarus Group, ATT&CK group G0032 (v4.1)", "name": "Lazarus Group (G0032)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.002", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user's context.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) queried compromised victim's active directory servers to obtain the list of employees including administrator accounts.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1098", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware WhiskeyDelta-Two contains a function that attempts to rename the administrator\u2019s account.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has acquired domains related to their campaigns to act as distribution points and C2 channels.(Citation: CISA AppleJeus Feb 2021)(Citation: Google TAG Lazarus Jan 2021)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) registered a domain name identical to that of a compromised company as part of their BEC effort.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1583.004", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) acquired servers to host their malicious tools.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1583.006", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has hosted malicious downloads on Github.(Citation: CISA AppleJeus Feb 2021)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used file hosting services like DropBox and OneDrive.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1557", "showSubtechniques": true}, {"techniqueID": "T1557.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) executed [Responder](https://attack.mitre.org/software/S0174) using the command [Responder file path] -i [IP address] -rPv on a compromised host to harvest credentials and move laterally.(Citation: Kaspersky ThreatNeedle Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has conducted C2 over HTTP and HTTPS.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)(Citation: ESET Twitter Ida Pro Nov 2021)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) uses HTTP and HTTPS to contact actor-controlled C2 servers.(Citation: McAfee Lazarus Jul 2020) ", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1560", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. (Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) archived victim's data into a RAR file.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1560.002", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "A [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: Lazarus APT January 2022)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) placed LNK files into the victims' startup folder for persistence.(Citation: McAfee Lazarus Jul 2020) ", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware has maintained persistence on a system by creating a LNK shortcut in the user\u2019s Startup folder.(Citation: McAfee Lazarus Resurfaces Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) performed brute force attacks against administrator accounts.(Citation: ESET Lazarus Jun 2020) ", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1110.003", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used PowerShell to execute commands and malicious code.(Citation: Google TAG Lazarus Jan 2021)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used PowerShell commands to explore the environment of compromised victims.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses cmd.exe to execute commands on a compromised host.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: US-CERT SHARPKNOT June 2018)(Citation: Qualys LolZarus) A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) uses a batch file mechanism to delete its binaries from the system.(Citation: McAfee GhostSecret)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) launched malicious DLL files, created new folders, and renamed folders with the use of the Windows command shell.(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used VBA and embedded macros in Word documents to execute malicious code.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) executed a VBA written malicious macro after victims download malicious DOTM files; [Lazarus Group](https://attack.mitre.org/groups/G0032) also used Visual Basic macro code to extract a double Base64 encoded DLL implant.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.001", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) compromised domains in Italy and other countries for their C2 infrastructure.(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1584.004", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has compromised servers to stage malicious tools.(Citation: Kaspersky ThreatNeedle Feb 2021)For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) compromised servers to host their malicious tools.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families install themselves as new services.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used a custom secure delete function to overwrite file contents with data from heap memory.(Citation: Novetta Blockbuster)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "A [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample encodes data with base64.(Citation: McAfee Lazarus Resurfaces Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has collected data and files from compromised networks.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: Kaspersky ThreatNeedle Feb 2021)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used malicious Trojans and DLL files to exfiltrate data from an infected host.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection/decryption.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee-GhostSecret-fixurl)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1622", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used tools that used the `IsDebuggerPresent` call to detect debuggers.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1491", "showSubtechniques": true}, {"techniqueID": "T1491.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) replaced the background wallpaper of systems with a threatening image after rendering the system unbootable with a [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002).(Citation: Novetta Blockbuster Destructive Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has developed custom malware for use in their operations.(Citation: CISA AppleJeus Feb 2021)(Citation: Google TAG Lazarus Jan 2021)For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) developed custom tools such as Sumarta, DBLL Dropper, [Torisma](https://attack.mitre.org/software/S0678), and [DRATzarus](https://attack.mitre.org/software/S0694) for their operations.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1587.002", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) digitally signed their malware and the dbxcli utility.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.(Citation: Novetta Blockbuster Destructive Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1561.002", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009.(Citation: US-CERT SHARPKNOT June 2018)(Citation: Novetta Blockbuster)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1189", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) delivered [RATANKBA](https://attack.mitre.org/software/S0241) and other malicious code to victims via a compromised legitimate website.(Citation: RATANKBA)(Citation: Google TAG Lazarus Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample XORs C2 traffic. Other [Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses Caracachs encryption to encrypt C2 payloads. [Lazarus Group](https://attack.mitre.org/groups/G0032) has also used AES to encrypt C2 traffic.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used an AES key to communicate with their C2 server.(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1585", "showSubtechniques": true}, {"techniqueID": "T1585.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has created new Twitter accounts to conduct social engineering against potential victims.(Citation: Google TAG Lazarus Jan 2021)For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) created fake LinkedIn accounts for their targeting efforts.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1585.002", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has created new email accounts for spearphishing operations.(Citation: Kaspersky ThreatNeedle Feb 2021)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) created fake email accounts to correspond with fake LinkedIn personas; [Lazarus Group](https://attack.mitre.org/groups/G0032) also established email accounts to match those of the victim as part of their BEC attempt.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has exfiltrated data and files over a C2 channel through its various tools and malware.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) exfiltrated data from a compromised host to actor-controlled C2 servers.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.002", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used a custom build of open-source command-line dbxcli to exfiltrate stolen data to Dropbox.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1203", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.(Citation: McAfee Bankshot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware SierraAlfa sends data to one of the hard-coded C2 servers chosen at random, and if the transmission fails, chooses a new C2 server to attempt the transmission again.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) conducted word searches within documents on a compromised host in search of security and financial matters.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1589", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) conducted extensive reconnaissance research on potential targets.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1589.002", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) collected email addresses belonging to various departments of a targeted organization which were used in follow-on phishing campaigns.(Citation: Kaspersky ThreatNeedle Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1591", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals.(Citation: Kaspersky ThreatNeedle Feb 2021)For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) gathered victim organization information to identify specific targets.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1591.004", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) targeted specific individuals within an organization with tailored job vacancy announcements.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has replaced `win_fw.dll`, an internal component that is executed during IDA Pro installation, with a malicious DLL to download and execute a payload.(Citation: ESET Twitter Ida Pro Nov 2021) [Lazarus Group](https://attack.mitre.org/groups/G0032) utilized DLL side-loading to execute malicious payloads through abuse of the legitimate processes `wsmprovhost.exe` and `dfrgui.exe`.(Citation: ASEC Lazarus 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.013", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has abused the KernelCallbackTable to hijack process control flow and execute shellcode.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, [Lazarus Group](https://attack.mitre.org/groups/G0032) malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)(Citation: US-CERT SHARPKNOT June 2018). ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "Various [Lazarus Group](https://attack.mitre.org/groups/G0032) malware modifies the Windows firewall to allow incoming connections or disable it entirely using [netsh](https://attack.mitre.org/software/S0108). (Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1656", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) impersonated HR hiring personnel through LinkedIn messages and conducted interviews with victims in order to deceive them into downloading malware.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: The Hacker News Lazarus Aug 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1070", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has restored malicious [KernelCallbackTable](https://attack.mitre.org/techniques/T1574/013) code to its original state after the process execution flow has been hijacked.(Citation: Lazarus APT January 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1070.003", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has routinely deleted log files on a compromised router, including automatic log deletion through the use of the logrotate utility.(Citation: Kaspersky ThreatNeedle Feb 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware has deleted files in various ways, including \"suicide scripts\" to delete malware binaries from the victim. [Lazarus Group](https://attack.mitre.org/groups/G0032) also uses secure file deletion to delete files from the victim.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) removed all previously delivered files from a compromised computer.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee GhostSecret)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1202", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) persistence mechanisms have used forfiles.exe to execute .htm files.(Citation: Qualys LolZarus)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has downloaded files, malware, and tools from its C2 onto a compromised host.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: Google TAG Lazarus Jan 2021)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)(Citation: ESET Twitter Ida Pro Nov 2021)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) downloaded multistage malware and tools onto a compromised host.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware KiloAlfa contains keylogging functionality.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1534", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) conducted internal spearphishing from within a compromised organization.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.003", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has renamed system utilities such as wscript.exe and mshta.exe.(Citation: Qualys LolZarus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used a scheduled task named `SRCheck` to mask the execution of a malicious .dll.(Citation: ESET Twitter Ida Pro Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)(Citation: Qualys LolZarus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) disguised malicious template files as JPEG files to avoid detection.(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1104", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used multi-stage malware components that inject later stages into separate processes.(Citation: Lazarus APT January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used the Windows API ObtainUserAgentString to obtain the User-Agent from a compromised host to connect to a C2 server.(Citation: McAfee Lazarus Jul 2020) [Lazarus Group](https://attack.mitre.org/groups/G0032) has also used various, often lesser known, functions to perform various types of Discovery and [Process Injection](https://attack.mitre.org/techniques/T1055).(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)\nDuring [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used Windows API `ObtainUserAgentString` to obtain the victim's User-Agent and used the value to connect to their C2 server.(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used nmap from a router VM to scan ports on systems within the restricted segment of an enterprise network.(Citation: Kaspersky ThreatNeedle Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "Some [Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) packed malicious .db files with Themida to evade detection.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used a custom hashing method to resolve APIs used in shellcode.(Citation: Lazarus APT January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has distributed malicious payloads embedded in PNG files.(Citation: Microsoft DiamondSleet 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for [Native API](https://attack.mitre.org/techniques/T1106) function names.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) encrypted malware such as  [DRATzarus](https://attack.mitre.org/software/S0694) with XOR and DLL files with base64.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has obtained a variety of tools for their operations, including [Responder](https://attack.mitre.org/software/S0174) and PuTTy PSCP.(Citation: Kaspersky ThreatNeedle Feb 2021)For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) obtained tools such as Wake-On-Lan, [Responder](https://attack.mitre.org/software/S0174), ChromePass, and dbxcli.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1588.003", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used code signing certificates issued by Sectigo RSA for some of its malware and tools.(Citation: ESET Lazarus Jun 2020) ", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1588.004", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has obtained SSL certificates for their C2 domains.(Citation: CISA AppleJeus Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has targeted victims with spearphishing emails containing malicious Microsoft Word documents.(Citation: McAfee Bankshot)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) sent emails with malicious attachments to gain unauthorized access to targets' computers.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has sent malicious links to victims via email.(Citation: Kaspersky ThreatNeedle Feb 2021)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) sent malicious OneDrive links with fictitious job offer advertisements via email.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1566.003", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.(Citation: Google TAG Lazarus Jan 2021)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) sent victims spearphishing messages via LinkedIn concerning fictitious jobs.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1542", "showSubtechniques": true}, {"techniqueID": "T1542.003", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) also gathers process times.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "A [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample performs reflective DLL injection.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: Lazarus APT January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used a compromised router to serve as a proxy between a victim network's corporate and restricted segments.(Citation: Kaspersky ThreatNeedle Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090.002", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used multiple proxies to obfuscate network traffic from victims.(Citation: US-CERT FALLCHILL Nov 2017)(Citation: TrendMicro macOS Dacls May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\\Software\\Bitcoin\\Bitcoin-Qt.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1620", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via [KernelCallbackTable](https://attack.mitre.org/techniques/T1574/013) hijacking. [Lazarus Group](https://attack.mitre.org/groups/G0032) has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware SierraCharlie uses RDP for propagation.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.004", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.(Citation: Kaspersky ThreatNeedle Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used schtasks for persistence including through the periodic execution of a remote XSL script or a dropped VBS payload.(Citation: Qualys LolZarus)(Citation: ESET Twitter Ida Pro Nov 2021)\nDuring [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) created scheduled tasks to set a periodic execution of a remote XSL script.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1593", "showSubtechniques": true}, {"techniqueID": "T1593.001", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used LinkedIn to identify and target employees within a chosen organization.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.004", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) targeted Windows servers running Internet Information Systems (IIS) to install C2 components.(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has stopped the MSExchangeIS service to render Exchange contents inaccessible to users.(Citation: Novetta Blockbuster Destructive Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.001", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used compromised servers to host malware.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1608.002", "comment": "For [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used multiple servers to host malicious tools.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has digitally signed malware and utilities to evade detection.(Citation: Lazarus APT January 2022)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) digitally signed their own malware to evade detection.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1218", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) lnk files used for persistence have abused the Windows Update Client (wuauclt.exe) to execute a malicious DLL.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1218.005", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used mshta.exe to execute HTML pages downloaded by initial access documents.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used `regsvr32` to execute malware.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used rundll32 to execute malicious payloads on a compromised host.(Citation: ESET Twitter Ida Pro Nov 2021)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) executed malware with `C:\\\\windows\\system32\\rundll32.exe \"C:\\ProgramData\\ThumbNail\\thumbnail.db\"`, `CtrlPanel S-6-81-3811-75432205-060098-6872 0 0 905`.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) also collects disk space information and sends it to its C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)(Citation: Lazarus APT January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia obtains and sends to its C2 server information about the first network interface card\u2019s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used net use to identify and establish a network connection with a remote host.(Citation: Kaspersky ThreatNeedle Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "Various [Lazarus Group](https://attack.mitre.org/groups/G0032) malware enumerates logged-on users.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: Lazarus APT January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1529", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has rebooted systems after destroying files and wiping the MBR on infected systems.(Citation: US-CERT SHARPKNOT June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "A Destover-like implant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) can obtain the current system time and send it to the C2 server.(Citation: McAfee GhostSecret)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1221", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used DOCX files to retrieve a malicious document template/DOTM file.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) lured users into executing a malicious link to disclose private account information or provide initial access.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.(Citation: McAfee Bankshot)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) lured victims into executing malicious documents that contained \"dream job\" descriptions from defense, aerospace, and other sectors.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1078", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used administrator credentials to gain access to restricted network segments.(Citation: Kaspersky ThreatNeedle Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used tools that conducted a variety of system checks to detect sandboxes or VMware services.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used tools that collected `GetTickCount` and `GetSystemTimeAsFileTime` data to detect sandbox or VMware services.(Citation: ClearSky Lazarus Aug 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories.(Citation: Lazarus APT January 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used WMIC for discovery as well as to execute payloads for persistence and lateral movement.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: Qualys LolZarus)During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used WMIC to executed a remote XSL script.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1220", "comment": "During [Operation Dream Job](https://attack.mitre.org/campaigns/C0022), [Lazarus Group](https://attack.mitre.org/groups/G0032) used a remote XSL script to download a Base64-encoded DLL custom downloader.(Citation: ESET Lazarus Jun 2020)", "score": 1, "color": "#ff6666", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Lazarus Group", "color": "#66b1ff"}, {"label": "used by a campaign attributed to Lazarus Group", "color": "#ff6666"}, {"label": "used by Lazarus Group and used by a campaign attributed to Lazarus Group", "color": "#ff66f4"}]}