Internals of Lazarus Operation Dream Job
2021-01-28 • 0xthreatintel •
The archived analysis reverse-engineers Torisma and LCPDot malware used in Lazarus/Hidden Cobra Operation Dream Job activity. Torisma is described as collecting host and process information, creating malicious pipes, loading DLLs, encrypting C2 communication with VEST-32, and downloading additional files from command-and-control servers. The LCPDot section highlights authentication strings, request and C2-operation routines, plugin download behavior, and stopping C2 communications. The source provides representative network indicators such as 31[.]186[.]8[.]221, 103[.]227[.]176[.]20, 192[.]35[.]177[.]64, 51[.]255[.]16[.]98, and domains including www[.]commodore[.]com[.]tr and www[.]fabianiarte[.]com.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 56b9de82c7ede1c231dc20ff0726bf4… | 2021-01-28 | 2021-01-28 |
| HASH | 1d261bae90a95c20caf7a12e9b404dd… | 2021-01-28 | 2021-01-28 |
| HASH | 7cd3ca8bdfb44e98a4b9d0c6ad77546… | 2021-01-28 | 2021-01-28 |
| HASH | 81ca4bd42b01fe43cefd7fc38083bc6b | 2021-01-28 | 2021-01-28 |
| HASH | 9a8403e2eb0324050e53f2c500bc8308 | 2021-01-28 | 2021-01-28 |
| IPv4 | 192.35.177.64 | 2021-01-28 | 2021-01-28 |
| IPv4 | 103.227.176.20 | 2021-01-28 | 2021-01-28 |
| IPv4 | 31.186.8.221 | 2021-01-28 | 2021-01-28 |
| HASH | ff7172d9c888b7a88a7d77372112d772 | 2021-01-26 | 2021-01-28 |
| HASH | a9334efa9f40a36e7dde7ef1fe3018b… | 2021-01-26 | 2021-01-28 |
| IPv4 | 51.255.16.98 | 2021-01-26 | 2021-01-28 |