Security experts at McAfee analyzed the code of a C2 server involved in the cyber espionage campaign tracked as Op. Sharpshooter and linked it with the North Korea-linked APT group
McAfee worked with a government entity and discovered that the
Op. Sharpshooter is much more extended and more complex than initially thought.
“McAfee today revealed evidence that the Operation Sharpshooter campaign exposed in 2018 is more extensive in complexity, scope and duration of operations.” reads the press release published by the company.
“The analysis led to
In Decembed 2018, security experts at McAfee uncovered a hacking campaign, tracked as Operation Sharpshooter, aimed at infrastructure companies worldwide. The threat actors are using malware associated with Lazarus APT group that carried out Sony Pictures attack back in 2014.
The campaign targeted nuclear, defense, energy, and financial companies, experts believe attackers
“In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and our analysis.” reads the analysis published by McAfee.
“Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest.”
Threat actors carried out spear phishing attacks with a link
The macros included in the malicious document uses an embedded shellcode to inject the Sharpshooter downloader into Word’s memory.
Attackers attempted to hide their identity through the use of the ExpressVPN service that showed connections to the web shell (Notice.php) that was discovered on a compromised server coming from two IP addresses in London.
The experts observed threat actors using three different variants of the
Rising Sun backdoor (v1.0, v1.1, and v2.0), a circumstance that confirms the evolution from the
Experts noticed that backdoor used by the attackers that
“These [Rising Sun] implants were all based on the original Backdoor
Other similarities in the
Experts found evidence that variants of the Rising Sun backdoor were used by the attackers since at least 2016.
The analysis of the c2 allowed the experts to determine that the largest number of recent attacks primarily target Germany, Turkey, the United Kingdom
Experts also discovered a set of unobfuscated connections from IP addresses in Windhoek, a city in Namibia, Africa. Researchers argue that attackers use the region to make some tests or that attackers run the operation from this are. However, experts cannot exclude that this is a false flag to deceive researchers.
Key findings shared by McAfee are:
The researchers will present their findings at the RSA security conference.