North Korean hacking Lazarus Group’s Operation Sharpshooter campaign, used “extremely convincing” job recruitment emails to target defense, government, finance, energy and critical infrastructure organizations across the world, according to McAfee researchers.
An unnamed government entity familiar with the malware campaign provided code and data from a command-and-control server responsible for the management of the operations, tools and tradecraft behind the global cyber espionage campaign, the researchers revealed at the RSA 2019 Conference.
From this data researchers were able to identify several previously unknown command-and-control centers, suggesting the Operation Sharpshooter malware campaign, which was discovered in December 2018, may have began as early September 2017.
“Technical evidence is often not enough to thoroughly understand a cyber attack, as it does not provide all the pieces to the puzzle,” McAfee Senior Principal Engineer and Lead Scientist Christiaan Beek said. “Access to the adversary’s command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyberattack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers.”
Researchers also found Operation Sharpshooter shares multiple design and tactical overlaps with several campaigns also attributed to Lazarus Group.
Researchers also discovered a network block of IP addresses originating from the city of Windhoek, Namibia, suggesting threat actors conducted their initial tests in Africa prior to launching their global attacks.
In addition, researchers uncovered a C&C infrastructure whose core backend is written in Hypertext Preprocessor (PHP) and which appears to be customized and unique to the group as well as a factory-like process where various malicious components that make up Rising Sun have been developed independently outside of the core implant functionality.