Operation Dream Job by Lazarus
2021-01-26 • JPCERT •
JPCERT/CC’s English Operation Dream Job report analyzes Torisma and LCPDot malware used by Lazarus/Hidden Cobra. Torisma is a rundll32-executed downloader that loads C2 configuration from a signed local file, uses the VEST-32 algorithm and a repeated encryption key, and downloads encrypted modules after a two-stage HTTP POST exchange. LCPDot is described as a similar downloader, sometimes VMProtect-obfuscated, likely used for lateral movement after Torisma infection; it supports RC4-key and Base64-encoded C2 options and stores encoded configuration data. The report provides protocol details, configuration locations, module behavior, and C2 infrastructure useful for defensive hunting.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://inovecommerce.com.br/pu… | 2021-01-26 | 2021-04-27 |
| DOMAIN | mail.clicktocareers.com | 2021-01-26 | 2021-04-27 |
| DOMAIN | inovecommerce.com.br | 2021-01-26 | 2021-04-27 |
| DOMAIN | akramportal.org | 2021-01-26 | 2021-04-27 |
| DOMAIN | vega.mh-tec.jp | 2020-12-15 | 2021-04-27 |
| HASH | ff7172d9c888b7a88a7d77372112d772 | 2021-01-26 | 2021-01-28 |
| HASH | a9334efa9f40a36e7dde7ef1fe3018b… | 2021-01-26 | 2021-01-28 |
| HASH | f77a9875dbf1a1807082117d69bdbdd… | 2021-01-26 | 2021-01-26 |
| HASH | 9ae9ed06a69baa24e3a539d9ce32c43… | 2021-01-26 | 2021-01-26 |
| HASH | ba57f8fcb28b7d1085e2e5e24bf2a46… | 2021-01-26 | 2021-01-26 |
| HASH | 0c69fd9be0cc9fadacff2c0bacf59da… | 2021-01-26 | 2021-01-26 |
| HASH | 7762ba7ae989d47446da21cd04fd6fb… | 2021-01-26 | 2021-01-26 |
| URL | http://www.hirokawaunso.co.jp/w… | 2021-01-26 | 2021-01-26 |
| URL | https://www.index-consulting.jp… | 2021-01-26 | 2021-01-26 |
| URL | https://www.scimpex.com/admin/a… | 2021-01-26 | 2021-01-26 |
| URL | https://ja-fc.or.jp/shop/shoppi… | 2021-01-26 | 2021-01-26 |
| URL | http://kenpa.org/yokohama/main.… | 2021-01-26 | 2021-01-26 |
| URL | https://www.fabianiarte.com/new… | 2021-01-26 | 2021-01-26 |
| URL | https://mail.clicktocareers.com… | 2021-01-26 | 2021-01-26 |
| URL | https://akramportal.org/public/… | 2021-01-26 | 2021-01-26 |
| URL | https://www.leemble.com/5mai-ly… | 2021-01-26 | 2021-01-26 |
| URL | https://www.commodore.com.tr/mo… | 2021-01-26 | 2021-01-26 |
| URL | https://www.tronslog.com/public… | 2021-01-26 | 2021-01-26 |
| URL | https://vega.mh-tec.jp:443/.wel… | 2021-01-26 | 2021-01-26 |
| DOMAIN | kenpa.org | 2021-01-26 | 2021-01-26 |
| DOMAIN | ja-fc.or.jp | 2021-01-26 | 2021-01-26 |