DreamJob-2 is a threat intelligence scenario focused on analyzing malware associated with the Lazarus Group and gathering intelligence on their custom-built tools.
In this walkthrough, we analyze multiple artifacts, identify malware behaviors, and correlate findings with the MITRE ATT&CK framework.
Who Is the Lazarus Group?
The Lazarus Group is a North Korea–attributed Advanced Persistent Threat (APT) that conducts cyber operations in support of state objectives, including cyber espionage, financial theft, and disruptive attacks.
The group is known for using custom malware, phishing campaigns, and job-themed lures, often targeting defense, engineering, and technology sectors.
Objective of This Exercise
In this HTB exercise, we analyze malware used by the Lazarus Group and map its techniques to MITRE ATT&CK to better understand their tradecraft.
Let’s start:
Task 1:
According to MITRE ATT&CK, what previously known malware does DRATzarus share similarities with?
You will find this information in the MITRE Attack website, an extension information is already available for this DRATzarus.
Reference: https://attack.mitre.org/software/S0694/
Task 2:
Which Windows API function does DRATzarus use to detect the presence of a debugger?
You will find this in the same MITRE attack page. But the question remains as by the detection for the debuggers should be present in a malware?
The Malware authors would not want their malwares to be dissected by the defenders or analyst. Debuggers are used by malware analysts, reverse engineers or sandboxes environments. So the Windows API used by this malware to detect debugger is IsDebuggerPresent.
Ref: https://attack.mitre.org/techniques/T1622/
Task 3
Torisma is another piece of malware used by the Lazarus Group. According to MITRE, it has encrypted its C2 communications using XOR and which other method?
Torisma is a Lazarus-linked backdoor malware used for espionage and persistence, enabling attackers to remotely control infected systems, execute commands, and download additional payloads. The encryption used XOR and VEST-32.
Reference: https://attack.mitre.org/software/S0678/
Task 4
Which packing method has been used to obfuscate Torisma?
Malware uses compression or packing to hide its real code and evade detection by security tools. It also slows down analysis by forcing analysts to unpack the payload before understanding its behavior.
Iz4 compression is used by Torisma.
Reference: https://attack.mitre.org/techniques/T1027/002/ –
Task 5
Analyze the provided ISO file and identify the executable contained within it?
The exercise provides a DANGER.zip file. As a best practice, potentially malicious files should always be opened in a restricted and supervised environment, such as an isolated VM or Docker container.
For this analysis, I used the REMnux Docker image.
When you unzip “DANGER.zip” file in the remnux docker container, you will find below files:
17.dotm
BAE_HPC_SE.iso
Salary_Lockheed_Martin_job_opportunities_confidential.doc
The task here is to look into the ISO file which is BAE_HPC_SE.iso.
There are multiple ways:
I first used isoinfo command to get information from the ISO:
I then used 7z to extract the files from ISO.
Command: 7z × BAE_HPC_SE.iso -oiso_contents
In the iso_contents directory you will see two files extracted:
BAE_HPC_SE.pdf
InternalViewer.exe
if you use command: file InternalViewer.exe you will know it is a PE32+ executable – which is a portable executable file in the windows systems.
Here the executable as the question is referring is InternalViewer.exe and thats your answer to the question.
Task 6
The executable found in the previous question was renamed. Can you identify its original name?
To check this we will use exiftool command to get the information about the file and in the below table you will see the original name of this file as SumatraPDF.exe
Task 7
According to VirusTotal, when was the EXE from the previous question First Seen In The Wild?(UTC)
Now since we are in the cli environment of the lab, you can either do this via virustotal API, or generate a hash of the InternalViewer.exe file and see all the information about it in the virustotal.
To generate hash of the file:
#sha256sum InternalViewer.exe
Link to the virustotal: https://www.virustotal.com/gui/file/adce894e3ce69c9822da57196707c7a15acee11319ccc963b84d83c23c3ea802/details
You will find the First Seen In the Wild value here: 2020-08-13 08:44:50 UTC – thats your answer to this task.
Task 8
What packer was used to pack the executable from Question 6? (Full name)
Now this was a bit tricky because I though it is specifically asking about the packer version. There are multiple packers which can be used by the malwares. This malware is using UPX – which stands for Ultimate Packer for eXecutables
The Task is only looking for the main packer name which is the fullform of UPX
Task 9
What is the full URL found within the macro in the document Salary_Lockheed_Martin_job_opportunities_confidential.doc?
I have used strings command to fetch this value:
This is the URL: https://markettrendingcenter.com/lk_job_oppor.docx
Task 10 & Task 11
Who is the author of the document Salary_Lockheed_Martin_job_opportunities_confidential.doc?
Who last modified the above document?
Both of the above ask are looking for the information present in the meta tags of a file, so we will be using Exiftool to answer this:
Task 12 & Task 13
Analyze the “17.dotm” document. What is the directory where a suspicious folder was created? (Format: Give the path starting immediately after
<USER>. Please pay attention to placeholder.)
Which suspicious file was checked for existence in that directory?
Task 12 and 13 was challenging as it is dotm document. A quick exiftool on this told me that it has macros enabled template, so there must be a vba malicious script inside the file.
The idea of this task to fetch the information of the folder created once the vba script will be triggered.
After checking with chatgpt on the best command to fetch that, I got olevba command.
#olevba 17.dotm
This command gave everything about the file with the code embedded in the 17.dotm file.
Here the suspicious directory is : \AppData\Local\Microsoft\Notice
and suspicious file is : wsuser.db
