CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

“Operation Sharpshooter” Hits Global Defense, Critical Infrastructure Firms

Global Cyberattack Campaign Hits 87 Organizations Using “Rising Sun” Malware

Global Cyberattack Campaign Hits 87 Organizations Using “Rising Sun” Malware

At least 87 organizations worldwide were infected with the same malware as part of a newly discovered campaign targeting nuclear, defense, energy, and financial sectors, McAfee reports. 

The campaign, which McAfee refers to as Operation Sharpshooter, employs a second-stage implant dubbed Rising Sun, which is an evolution of the Duuzer backdoor previously associated with the North Korean-linked Lazarus Group. 

The use of Lazarus source code and the presence of numerous technical links to the state-sponsored North Korean hackers “seem too obvious to immediately draw the conclusion that they are responsible for the attacks,” McAfee’s security researchers say in a new report (PDF). They say these might actually be false flags

The campaign masquerades as legitimate industry job recruitment activity, but instead is focused on gathering information for potential exploitation. In October and November 2018, McAfee said the Rising Sun malware appeared in 87 organizations across the globe, predominantly in the United States. Because McAfee’s visibility is limited, the malware has likely 

The attacks started on October 25 and employed documents created with a Korean version of Microsoft Word and distributed by an IP address in the United States and via Dropbox. A malicious macro in the documents leveraged embedded shellcode to inject the Sharpshooter downloader into the memory of Word and retrieve the second-stage implant. 

A fully functional backdoor, the Rising Sun implant has a modular design and is capable of performing reconnaissance operations on the infected machines. The scheme used by the malware for building the Library and API names is derived from the byte-chunk string-construction technique often used by Lazarus implants, McAfee notes. 

The information the malware gathers from the victim’s system includes network adapter info, computer name, user name, IP address information, native system information, and OS product name.  

Advertisement. Scroll to continue reading.

The Rising Sun implant contains 14 backdoor capabilities and executes functions as instructed by the command and control server. The malware can execute a command using cmd.exe, get drive information, launch a process from a binary, get process information, terminate processes, get file creation times, read file, clear process memory, write file to disk, delete file, get additional info on specific files, connect to an IP address, and change file attributes. 

The researchers observed similarities with the Lazarus group, such as the creation of malicious documents in a Korean-language environment, the use of a variant of the dynamic API resolution technique employed by Lazarus, and similarities between the operation and Lazarus attacks from 2017. There are also a number of similarities between Rising Sun and Duuzer. 

“We have not previously observed this implant. Based on our telemetry, we discovered that multiple victims from different industry sectors around the world have reported these indicators. Operation Sharpshooter’s similarities to Lazarus Group malware are striking, but that does not ensure attribution. Was this attack just a first-stage reconnaissance operation, or will there be more? We will continue to monitor this campaign,” McAfee concludes. 

“The new implant is another example of how targeted attacks attempt to gain intelligence through social engineering, which can be addressed through a balanced focus on both the people within the organization and on the process-related mitigation activities. Programs should have access to a real-time recommendation engine that is constantly weighing people, process, and technology against their gaps in order to determine where remediation actions related to any of those three areas might be the most successful against an attack such as this,” George Wrenn, CEO and Founder, CyberSaint Security, told SecurityWeek in an emailed comment. 

Related: “Duuzer” Trojan Used to Target South Korean Organizations

Related: WannaCry ‘Highly Likely’ Work of North Korean-linked Hackers, Symantec Says

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.