Security Experts:

Connect with us

Hi, what are you looking for?



“Operation Sharpshooter” Hits Global Defense, Critical Infrastructure Firms

Global Cyberattack Campaign Hits 87 Organizations Using “Rising Sun” Malware

Global Cyberattack Campaign Hits 87 Organizations Using “Rising Sun” Malware

At least 87 organizations worldwide were infected with the same malware as part of a newly discovered campaign targeting nuclear, defense, energy, and financial sectors, McAfee reports. 

The campaign, which McAfee refers to as Operation Sharpshooter, employs a second-stage implant dubbed Rising Sun, which is an evolution of the Duuzer backdoor previously associated with the North Korean-linked Lazarus Group. 

The use of Lazarus source code and the presence of numerous technical links to the state-sponsored North Korean hackers “seem too obvious to immediately draw the conclusion that they are responsible for the attacks,” McAfee’s security researchers say in a new report (PDF). They say these might actually be false flags

The campaign masquerades as legitimate industry job recruitment activity, but instead is focused on gathering information for potential exploitation. In October and November 2018, McAfee said the Rising Sun malware appeared in 87 organizations across the globe, predominantly in the United States. Because McAfee’s visibility is limited, the malware has likely 

The attacks started on October 25 and employed documents created with a Korean version of Microsoft Word and distributed by an IP address in the United States and via Dropbox. A malicious macro in the documents leveraged embedded shellcode to inject the Sharpshooter downloader into the memory of Word and retrieve the second-stage implant. 

A fully functional backdoor, the Rising Sun implant has a modular design and is capable of performing reconnaissance operations on the infected machines. The scheme used by the malware for building the Library and API names is derived from the byte-chunk string-construction technique often used by Lazarus implants, McAfee notes. 

The information the malware gathers from the victim’s system includes network adapter info, computer name, user name, IP address information, native system information, and OS product name.  

The Rising Sun implant contains 14 backdoor capabilities and executes functions as instructed by the command and control server. The malware can execute a command using cmd.exe, get drive information, launch a process from a binary, get process information, terminate processes, get file creation times, read file, clear process memory, write file to disk, delete file, get additional info on specific files, connect to an IP address, and change file attributes. 

The researchers observed similarities with the Lazarus group, such as the creation of malicious documents in a Korean-language environment, the use of a variant of the dynamic API resolution technique employed by Lazarus, and similarities between the operation and Lazarus attacks from 2017. There are also a number of similarities between Rising Sun and Duuzer. 

“We have not previously observed this implant. Based on our telemetry, we discovered that multiple victims from different industry sectors around the world have reported these indicators. Operation Sharpshooter’s similarities to Lazarus Group malware are striking, but that does not ensure attribution. Was this attack just a first-stage reconnaissance operation, or will there be more? We will continue to monitor this campaign,” McAfee concludes. 

“The new implant is another example of how targeted attacks attempt to gain intelligence through social engineering, which can be addressed through a balanced focus on both the people within the organization and on the process-related mitigation activities. Programs should have access to a real-time recommendation engine that is constantly weighing people, process, and technology against their gaps in order to determine where remediation actions related to any of those three areas might be the most successful against an attack such as this,” George Wrenn, CEO and Founder, CyberSaint Security, told SecurityWeek in an emailed comment. 

Related: “Duuzer” Trojan Used to Target South Korean Organizations

Related: WannaCry ‘Highly Likely’ Work of North Korean-linked Hackers, Symantec Says

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...