APT

Experts collect more evidence that link Op ‘Sharpshooter’ to North Korea

Security researchers at McAfee have linked the Op. Sharpshooter with the North Korea-linked Lazarus APT group after analyzing code from a command and control (C2) server.

Security experts at McAfee analyzed the code of a C2 server involved in the cyber espionage campaign tracked as Op. Sharpshooter and linked it with the North Korea-linked APT group

McAfee worked with a government entity and discovered that the
Op. Sharpshooter is much more extended and more complex than initially thought.

“McAfee today revealed evidence that the Operation Sharpshooter campaign exposed in 2018 is more extensive in complexity, scope and duration of operations.” reads the press release published by the company.

“The analysis led to identification of multiple previously unknown command-and-control centers, and suggest that Sharpshooter began as early as September 2017, targeted a broader set of organizations, in more industries and countries and is currently ongoing.”

In Decembed 2018, security experts at McAfee uncovered a hacking campaign, tracked as Operation Sharpshooter, aimed at infrastructure companies worldwide. The threat actors are using malware associated with Lazarus APT group that carried out Sony Pictures attack back in 2014.

The campaign targeted nuclear, defense, energy, and financial companies, experts believe attackers are gather intelligence to prepare future attacks.

“In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and our analysis.” reads the analysis published by McAfee.

“Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest.”

Threat actors carried out spear phishing attacks with a link poining to weaponized Word documents purporting to be sent by a job recruiter. The messages are in English and include descriptions for jobs at unknown companies, URLs associated with the documents belongs to a US-based IP address and to the Dropbox service.

The macros included in the malicious document uses an embedded shellcode to inject the Sharpshooter downloader into Word’s memory.

Attackers attempted to hide their identity through the use of the ExpressVPN service that showed connections to the web shell (Notice.php) that was discovered on a compromised server coming from two IP addresses in London.

The experts observed threat actors using three different variants of the
Rising Sun backdoor (v1.0, v1.1, and v2.0), a circumstance that confirms the evolution from the Duuzer Trojan that was used by Lazarus APT in attacks against the South Korean organizations.

Experts noticed that backdoor used by the attackers that is similar to versions of the Rising Sun implant dating back to 2017 and has the source code borrowed from Lazarus’s Duuzer Trojan.

“These [Rising Sun] implants were all based on the original Backdoor Duuzer source code,” reads the report published by the experts.

Other similarities in the TTPs of the adversaries are the use of the fake job recruitment campaigns and the use of similar versions of Rising Sun backdoor.

Experts found evidence that variants of the Rising Sun backdoor were used by the attackers since at least 2016.

The analysis of the c2 allowed the experts to determine that the largest number of recent attacks primarily target Germany, Turkey, the United Kingdom and the United States. Previous attacks were focused on entities in telco, government and financial industr, primarily in the United States, Switzerland, and Israel, and others.

Experts also discovered a set of unobfuscated connections from IP addresses in Windhoek, a city in Namibia, Africa. Researchers argue that attackers use the region to make some tests or that attackers run the operation from this are. However, experts cannot exclude that this is a false flag to deceive researchers.

Key findings shared by McAfee are:

  • Hunting and spearphishing. Operation Sharpshooter shares multiple design and tactical overlaps with several campaigns, for example a very similar fake job recruitment campaign conducted in 2017 that the industry attributes to Lazarus Group.
  • African connection. Analysis of the command-and-control server code and file logs also uncovered a network block of IP addresses originating from the city of Windhoek, located in the African nation of Namibia. This led McAfee Advanced Threat Research analysts to suspect that the actors behind Sharpshooter may have tested their implants and other techniques in this area of the world prior to launching their broader campaign of attacks.
  • Maintaining access to assets. The attackers have been using a command-and-control infrastructure with the core backend written in Hypertext Preprocessor (PHP) and Active Server Pages (ASP). The code appears to be custom and unique to the group and McAfee’s analysis reveals it has been part of their operations since 2017.
  • Evolving Rising Sun. The Sharpshooter attackers used a factory-like process where various malicious components that make up Rising Sun have been developed independently outside of the core implant functionality. These components appear in various implants dating back to 2016, which is one indication that the attackers have access to a set of developed functionalities at their disposal.

The researchers will present their findings at the RSA security conference.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Lazarus, Sharpshooter
Sharpshooter )

[adrotate banner="5"]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

1 hour ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

5 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

19 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.