Actor uses recruiting lure for collection and exfiltration

Dec 12, 2018 21:46 GMT  ·  By

The McAfee Advanced Threat Research team detected a malware campaign dubbed Operation Sharpshooter which attacked nuclear, defense, energy, and financial targets from all over the world.

As detailed by McAfee's research team, the campaign dubbed "Operation Sharpshooter" makes use of an in-memory essential to download and execute a second stage payload named Rising Sun.

Moreover, the Rising Sun implant is a fully functional modular backdoor designed to perform surveillance on its compromised victims' network.

This second implant also shows multiple similarities with the Trojan Duuzer backdoor employed in attacks designed to compromise targets from the same critical industries during 2015 by the Lazarus Group cyber-espionage threat, known to have been active since at least 2009.

The campaign camouflaged itself as a legitimate industry job recruitment operation, and the attack process starts with a document containing malicious macros designed to download the first payload stage into the system memory, stealthily running in the background and collecting intelligence.

Trend Micro steered clear from attributing the attack to a specific threat group

All the data Rising Sun gathers from infiltrated boxes is sent to the group's control servers, providing its masters with information regarding the system's details and network adapters, local usernames and IP address, as well as allowing them to manage system files and processes.

"Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. We shall leave attribution to the broader security community," said Trend Micro, not willing to jump to conclusions.

The security firm is skeptical for good reasons given that there still are notable differences between Rising Sun and Trojan Duuzer, with the former using HTTP communication channels and the latter employing a socket-based communication mechanism.

Furthermore, the command codes and the return codes/data in the two strains are different, and the encryption schemes used by the two strains' authors are also entirely dissimilar with Duuzer making use of a custom XOR scheme and Rising Sun using the RC4 stream algorithm.

Photo Gallery (3 Images)

Operation Sharpshooter
Targeted organizations by sector in October 2018Infection flow of the Rising Sun implant
Open gallery