Threat Research

Lazarus Targets Chemical Sector

Securonix

North Korea-linked Lazarus continues its Dream Job espionage campaign targeting chemical sector organizations, using fake job offers, Trojanized tools, and a multi-stage payload chain to infiltrate networks and steal intellectual property. Symantec’s findings link this activity to Operation Dream Job under the Pompilus sub-tracking, highlighting signed malicious DLLs, shellcode loaders, WMI-based lateral movement, credential dumping, and various post-compromise utilities. Hashtags: #Lazarus #DreamJob #Pompilus #OperationDreamJob #Tukaani #LZMAUtils #SiteShoter #IPLogger #WakeOnLAN #MagicLine #INISafeWebEX

Keypoints

  • Lazarus is conducting an espionage campaign in the chemical sector, continuing Operation Dream Job and tracked as Pompilus.
  • The intrusion starts with a malicious HTM lure (often via email links or web download) leading to a DLL-based payload and injection into legitimate software.
  • The DLL (scskapplink.dll) is a signed Trojanized tool with malicious exports, used to fetch and execute a backdoor payload from a C&C server.
  • Shellcode loaders and Trojanized components (e.g., final.cpl, 61e305d6…, wpm.cpl) enable download/execute chains and post‑compromise activity.
  • Attacks include credential dumping from SAM/SYSTEM hives, persistence via scheduled tasks, and post‑compromise tools like SiteShoter, IP Logger, WakeOnLAN, FastCopy, and FTP usage.
  • Lateral movement leverages Windows Management Instrumentation (WMI) and injection into MagicLine on other machines.
  • A detailed January 17–20, 2022 case study documents step-by-step attacker activity on a chemical-sector organization.
  • Indicators of compromise include numerous SHA-256 hashes, IPs, domains, and specific file/service artifacts associated with the campaign.

MITRE Techniques

  • [T1566.002] Phishing – The attackers used a malicious HTM file delivered via email or downloaded from the web: “A typical attack begins when a malicious HTM file is received, likely as a malicious link in an email or downloaded from the web.”
  • [T1105] Ingress Tool Transfer – The HTM file is copied to a DLL file … and downloads and executes an additional payload from a command-and-control (C&C) server with the URL parameter key/values “prd_fld=racket”.
  • [T1055] Process Injection – The HTM file is copied to a DLL file … injected into the legitimate system management software INISAFE Web EX Client.
  • [T1036] Masquerading – The DLL file is a signed Trojanized version of a tool with malicious exports added (signed by legitimate entities to appear benign).
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – The shellcode loader is invoked via rundll32.exe, e.g., “rundll32.exe CSIDL_PROFILEpublicscskapplink.dll,netsetcookie Cnusrmgr”.
  • [T1071.001] Web Protocols – The malware connects to, downloads, decodes, and executes shellcode from a remote web location (C2). Quote: “The malware connects to, downloads, decodes, and executes shellcode from the remote location: hxxp[:]//happy[.]nanoace.co.kr/Content/rating/themes/krajee-fas/FrmAMEISMngWeb.asp”.
  • [T1071.004] Application Layer Protocol: FTP – FTP is used under the MagicLine process for file transfer: “the File Transfer Protocol (FTP) executed under the MagicLine process.”
  • [T1047] Windows Management Instrumentation – Lateral movement on the network using WMI and injection into MagicLine on other machines: “lateral movement on the network using Windows Management Instrumentation (WMI) and inject into MagicLine by DreamSecurity on other machines.”
  • [T1003.002] Credential Dumping: Security Account Manager – Credentials are dumped from the SAM and SYSTEM registry hives: “dump credentials from the SAM and SYSTEM registry hives.”
  • [T1053.005] Scheduled Task – Persistence via scheduled tasks: “The attackers create a scheduled task to ensure persistence between system reboots.”
  • [T1113] Screen Capture – Post-compromise tools include a utility to take screenshots at intervals: “a tool used to take screenshots of web pages viewed on the compromised machine at set intervals (SiteShoter).”
  • [T1135] Network Share Discovery – Information gathering includes network configuration, active users, and available shared drives: “to collect information pertaining to network configuration, current user the attackers are logged in as, active users on the machine, available shared drives, and the contents of the ‘addins’ directory.”
  • [T1083] File and Directory Discovery – Discovery of file artifacts such as addins and CPLs (e.g., “dir CSIDL_WINDOWSaddins”).

Indicators of Compromise

  • [SHA-256] – Sample file hashes observed during the operation: 164f6a8f7d2035ea47514ea84294348e32c90d817724b80ad9cd3af6f93d83f8, 18686d04f22d3b593dd78078c9db0ac70f66c7138789ad38469ec13162b14cef, and other 2 hashes
  • [SHA-256] – Additional hashes: 1cb8ea3e959dee988272904dbb134dad93539f2c07f08e1d6e10e75a019b9976, 2dd29b36664b28803819054a59934f7a358a762068b18c744281e1589af00f1f
  • [IP] 52.79.118.195, 61.81.50.174 – observed network activity related to C2 and command flow
  • [URL] happy.nanoace[.]co.kr/Content/rating/themes/krajee-fas/FrmAMEISMngWeb.asp, mariamchurch.com – domains/paths used by C2 communications
  • [Domain] mariamchurch.com, www.aumentarelevisite[.]com – domains involved in hosting or communicating with C2 infrastructure
  • [File name] addins.cpl, final.cpl, wpm.cpl – Trojanized/loader CPLs observed during the campaign
  • [File] arm.dat, arm.bat, dolby.cpl – auxiliary files involved in post-compromise activities (e.g., screenshots, persistence)
  • [Service] arm, uso – services created/persisted for execution and persistence

Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical