The North Korean-sponsored advanced persistent threat (APT) group called Lazarus targets organisations that operate in South Korea’s chemical sector. This current espionage campaign appears to be the sequel of the Operation Dream Job conducted by the same APT group discovered by researchers in August last year.
At the beginning of the year, a research team identified the attacks on networks of several government organisations based in South Korea. According to the researchers, the threat actors prioritised targeting the country’s chemical sector, while others belonged to the IT department within South Korea.
Experts claim that the Lazarus APT targets the IT firms to obtain initial access to the chemical sector.
The Dream Job campaign has attacked South Korea’s government, engineering, and defence organisations for the past two years. However, the threat actors have refocused on targeting the chemical sector.
The Lazarus threat group deployed numerous fake job offers to trick job seekers into clicking on malicious attachments or links. This strategy allowed the threat groups to install spyware on targeted computers used by the job seekers.
In other cases, the APT group dumped several credentials from the registry, installed a BAT file to establish persistence on the infected device, and utilised a scheduled task configured to operate as a particular user.
The adversary commonly starts with a target receiving a compromised HTML file. If the target opens the file, the attackers can navigate laterally across the device by using WMI and inject MagicLine on other systems.
In addition, the threat actors utilised shellcode loaders that gather and execute arbitrary commands. Lazarus then used the XZ Utils tool to run additional malware. Lastly, they also used several malicious tools such as IP Logger, Siteshoter, Wake-On-Lan, FTP, and FastCopy.
For years, the Operation Dream Job espionage campaign has been rampaging in South Korea. Its recent movements imply that the strategies utilised by the APT group are still efficient for attacks.
Experts think that the reason behind targeting the chemical sector seems to be acquiring intellectual property from their neighbour country. Therefore, associated organisations are suggested to stay vigilant and have adequate security.
