Pierluigi Paganini December 13, 2018

McAfee uncovered a campaign tracked as Operation Sharpshooter that hit at least 87 organizations in global defense and critical infrastructure.

Security experts at McAfee uncovered a hacking campaign, tracked as Operation Sharpshooter, aimed at infrastructure companies worldwide. The threat actors are using malware associated with Lazarus APT group that carried out Sony Pictures attack back in 2014.

The current campaign os targeting nuclear, defense, energy, and financial companies, experts believe attackers are gather intelligence to prepare future attacks.

“In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and our analysis.” reads the analysis published by McAfee.

“Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest.”

Threat actors are carrying out spear phishing attacks with a link poining to weaponized Word documents purporting to be sent by a job recruiter. The messages are in English and include descriptions for jobs at unknown companies, URLs associated with the documents belongs to a US-based IP address and to the Dropbox service.

The macros included in the malicious document uses an embedded shellcode to inject the Sharpshooter downloader into Word’s memory.

The macros act as a downloader for a second-stage implant dubbed Rising Sun that runs in memory and collects intelligence about the machine (network adapter information, computer name, username, IP address information, OS information, drive and process information, and other native system data). 
The Rising Sun implements tens of backdoor capabilities, including the abilities to terminate processes and write files to disk.

The binary is downloaded in the startup folder to gain persistence on the infected system. Experts observed that attackers behind the Operation Sharpshooter also downloads a second harmless Word document from the control server, most likely as a decoy to hide the malware.

The malware sends collected data to the C2 in an encrypted format, it uses the RC4 algorithm and encodes the encrypted data with Base64.

The control infrastructure is composed of servers located in the US, Singapore, and France.

Experts highlighted that the Rising Sun uses source code from Trojan Duuzer, a backdoor used by Lazarus Group in Sony attacks.

“This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.” continues the report.

Experts found other similarities, for example the documents that are being used to distribute Rising Sun contain metadata indicating they were created using a Korean-language version of Word.

Experts found many similarities between the malware used in the 
Operation Sharpshooter and the one used in the Sony hack, experts also found similarities in tactics, techniques, and procedures used by the attackers and the Lazarus Group.

Experts believe that threat actors behind Operation Sharpshooter are planting false flags to make attribution more difficult.

Further details on the campaign, including IoCs are reported in the analysis published by McAfee.

Pierluigi Paganini

(Security Affairs – Operation Sharpshooter, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]