Global Cyberattack Campaign Hits 87 Organizations Using “Rising Sun” Malware
At least 87 organizations worldwide were infected with the same malware as part of a newly discovered campaign targeting nuclear, defense, energy, and financial sectors, McAfee reports.
The campaign, which McAfee refers to as Operation Sharpshooter, employs a second-stage implant dubbed Rising Sun, which is an evolution of the Duuzer backdoor previously associated with the North Korean-linked Lazarus Group.
The use of Lazarus source code and the presence of numerous technical links to the state-sponsored North Korean hackers “seem too obvious to immediately draw the conclusion that they are responsible for the attacks,” McAfee’s security researchers say in a new report (PDF). They say these might actually be false flags.
The campaign masquerades as legitimate industry job recruitment activity, but instead is focused on gathering information for potential exploitation. In October and November 2018, McAfee said the Rising Sun malware appeared in 87 organizations across the globe, predominantly in the United States. Because McAfee’s visibility is limited, the malware has likely
The attacks started on October 25 and employed documents created with a Korean version of Microsoft Word and distributed by an IP address in the United States and via Dropbox. A malicious macro in the documents leveraged embedded shellcode to inject the Sharpshooter downloader into the memory of Word and retrieve the second-stage implant.
A fully functional backdoor, the Rising Sun implant has a modular design and is capable of performing reconnaissance operations on the infected machines. The scheme used by the malware for building the Library and API names is derived from the byte-chunk string-construction technique often used by Lazarus implants, McAfee notes.
The information the malware gathers from the victim’s system includes network adapter info, computer name, user name, IP address information, native system information, and OS product name.
The Rising Sun implant contains 14 backdoor capabilities and executes functions as instructed by the command and control server. The malware can execute a command using cmd.exe, get drive information, launch a process from a binary, get process information, terminate processes, get file creation times, read file, clear process memory, write file to disk, delete file, get additional info on specific files, connect to an IP address, and change file attributes.
The researchers observed similarities with the Lazarus group, such as the creation of malicious documents in a Korean-language environment, the use of a variant of the dynamic API resolution technique employed by Lazarus, and similarities between the operation and Lazarus attacks from 2017. There are also a number of similarities between Rising Sun and Duuzer.
“We have not previously observed this implant. Based on our telemetry, we discovered that multiple victims from different industry sectors around the world have reported these indicators. Operation Sharpshooter’s similarities to Lazarus Group malware are striking, but that does not ensure attribution. Was this attack just a first-stage reconnaissance operation, or will there be more? We will continue to monitor this campaign,” McAfee concludes.
“The new implant is another example of how targeted attacks attempt to gain intelligence through social engineering, which can be addressed through a balanced focus on both the people within the organization and on the process-related mitigation activities. Programs should have access to a real-time recommendation engine that is constantly weighing people, process, and technology against their gaps in order to determine where remediation actions related to any of those three areas might be the most successful against an attack such as this,” George Wrenn, CEO and Founder, CyberSaint Security, told SecurityWeek in an emailed comment.