Cyber operation Sharpshooter hits global defense infrastructure

Sharpshooter is targeting various sectors around the world, infects 87 organizations

Lazarus group releases new malware called Sharpshooter and targets various industries all over the world.

The McAffee Advanced Threat Research team revealed that a new malware campaign is targeting various industries around the world.^[1] According to the official report^[2], multiple organizations were impacted by Operation Sharpshooter around the globe and involved financial, defense, nuclear energy, telecommunications, healthcare, and other sectors.

Everything started with a phishing email scam campaign when malware creators masqueraded the infected email as a recruitment message and distributed a backdoor. This fully functional, modular backdoor explores the system, and attackers get access to the machine and data stored on the device, including documents, account information, credentials, and network settings.^[3]

While fileless malware and exploitation tool borrow the code from a trojan also associated with Lazarus Group, a global phishing campaign targeted organizations with a purpose of cyber espionage. In October and November, this Rising Sun Implant was detected in more than 87 organizations, most being from the US and other English-speaking countries.

McAfee researchers Ryan Sherstobitoff and Asheer Malhotra stated the following:^[1]

Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest. The McAfee Advanced Threat Research team has observed that the majority of targets were defense and government-related organizations.

A well-known Lazarus Group seem to be responsible for the attacks

The Advanced Threat Research team analyzed the Sharpshooter operation and noticed too many similarities with other campaigns created by Lazarus group.^[4] One of them – Microsoft word document because it was created in a Korean version of the software, associated with North Korea-based hacker group. Researchers also noted that the attack was very similar to Lazarus operation in 2017 when these criminals targeted defense and energy sectors in the US.^[5]

McAfee team stated in their blog post:

Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags.

The same source code used in previous Lazarus attacks was borrowed to create this Rising Sun backdoor. The Duuzer backdoor was used back in 2015 when Lazarus targeted Japan and South Korea. These two backdoor trojans have the same source code and functionalities. Also, malware has randomized characters in their library and uses dynamic API resolution technique that has been known in other Lazarus creations.

Rising Sun is a complex operation that researchers will keep their eyes on

Although many functionalities are associated with Lazarus hacker group, the specific features might have been planted intentionally, as the backdoor has fourteen malware functions. The primary purpose of the trojan is to run reconnaissance activity on the targeted machine. It can be delivered to the command and control server to access details about the network and system, various identification information like IP address, OS or product names, usernames or even passwords.

The full set of malware code contains 14 commands that allow executing other processes using Windows Command Prompt or writing, deleting data, launching programs. Additionally, it can be used to terminate processes, read files, clear memory or even start functions from Windows library.

McAfee team observes this campaign and ensures the monitoring in the future:^[1]

Was this attack just a first-stage reconnaissance operation, or will there be more? We will continue to monitor this campaign and will report further when we or others in the security industry receive more information. The McAfee Advanced Threat Research team encourages our peers to share their insights and attribution of who is responsible for Operation Sharpshooter.

Indeed, considering that the mainly governmental sector is attacked all over the world, the probability that Lazarus is behind the operation Sharpshooter is highly likely.