The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group discovered ‘Operation Sharpshooter’ targeting nuclear, defense, energy, and financial companies, based on McAfee Global Threat Intelligence.
This campaign gathers information to monitor for potential exploitation while indicating similar techniques associated with other job recruitment campaigns.
Impact
The Rising Sun implant appeared in 87 organizations across the globe in October and November 2018, most of the targeted organizations were English speaking or had an English-speaking regional office. The McAfee Advanced Threat Research observed that the majority of targets were defense and government-related organizations.
Key findings:
- Sharpshooter hit close to 100 organizations in 24 countries by phishing emails posing as job recruitment during October and November 2018; targeting government, nuclear and defence organisations
- Sharpshooter is leveraging the Rising Sun implant – a fully functional, modular backdoor that performs reconnaissance on victims’ network
- Attackers get access to machine level info, including documents, usernames, network configuration and system settings
- Rising Sun is an evolution of the backdoor Trojan Duuzer used in the Sony attacks
- Operation Sharpshooter has numerous technical links to the Lazarus Group (Wannacry) – making it seem too obvious to immediately draw the conclusion that they are responsible, indicating potential false flags.
Conclusion
The malware moves in several steps. The initial attack vector is a document that contains a weaponized macro to download the next stage, which runs in memory and gathers intelligence. Victim’s data is sent to a control server for monitoring by the actors, who then determine the next steps.