Security experts at McAfee uncovered a hacking campaign, tracked as Operation Sharpshooter, aimed at infrastructure companies worldwide. The threat actors are using malware associated with Lazarus APT group that carried out Sony Pictures attack back in 2014.
The current campaign os targeting nuclear, defense, energy, and financial companies, experts believe attackers
“In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and our analysis.” reads the analysis published by McAfee.
“Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest.”
Threat actors are carrying out spear phishing attacks with a link
The macros included in the malicious document uses an embedded shellcode to inject the Sharpshooter downloader into Word’s memory.
The macros act as a downloader for a second-stage implant dubbed Rising Sun that runs in memory and collects intelligence about the machine (network adapter information, computer name, username, IP address information, OS information, drive and process information, and other native system data).
The Rising Sun implements tens of backdoor capabilities, including the abilities to terminate processes and write files to disk.
The binary is downloaded in the startup folder to gain persistence on the infected system. Experts observed that attackers behind the Operation Sharpshooter also downloads a second harmless Word document from the control server, most likely as a decoy to hide the malware.
The malware sends collected data to the C2 in an encrypted format, it uses the RC4 algorithm and encodes the encrypted data with Base64.
The control infrastructure is composed of servers located in the US, Singapore, and France.
Experts highlighted that the Rising Sun uses source code from Trojan Duuzer, a backdoor used by Lazarus Group in Sony attacks.
“This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.” continues the report.
Experts found other similarities, for
Experts found many similarities between the malware used in the
Operation Sharpshooter and the one used in the Sony hack, experts also found similarities in tactics, techniques, and procedures used by the attackers and the Lazarus Group.
Experts believe that threat actors behind Operation Sharpshooter are planting false flags to make attribution more difficult.
Further details on the campaign, including IoCs are reported in the analysis published by McAfee.
(Security Affairs – Operation Sharpshooter, hacking)