The Lazarus Group (aka Hidden Cobra) is a threat actor group that has been attributed to the Democratic People’s Republic of Korea (DPRK).
The Lazarus advanced persistent threat (APT) group operations are characterized by using malware specially crafted to attack financial institutions, espionage and for disruptive purposes. Several campaigns have been carried out against the U.S., Israel and other countries as part of offensive and massive attacks by the Lazarus group.
One of the popular campaigns is called Operation Dream Job, which targeted employees in the defense and aerospace industries with an offer of their “dream job” at a prestigious company such as Boeing, Lockheed Martin and BAE.
There are several techniques, tactics and procedures (TTP) used by Lazarus Group to impact companies and Internet end-users around the globe.
Details of Torisma malware
Torisma is one of the malware types used in Operation Dream Job by Lazarus APT. This piece of malware downloads and executes various modules from external servers and is disseminated using Microsoft Word files. The malware appears in a form of a dll file and loaded into the memory using the DLL loading technique via rundll32.exe.
Figure 1: Torisma DLL executable by Lazarus APT.