A global phishing campaign called Operation Sharpshooter was discovered using fake job recruitment documents to infect defense, government and critical infrastructure organizations with a malicious backdoor implant, presumably for cyber espionage purposes.
The implant, nicknamed Rising Sun, was observed in least 87 impacted organizations over the course of October and November, McAfee Labs reported today in both a blog post and analysis report that detailed findings from its Advanced Threat Research team. Additional targeted sectors included finance, government, healthcare, telecommunications and more.
Described by McAfee as a “fully functional modular backdoor,” Rising Sun communicates with its C2 server via HTTP POST requests. It possesses 14 distinct backdoor capabilities, including gathering, encrypting and exfiltrating host data; terminating processes; reading, writing and deleting files; connecting to an IP address and changing file attributes.
Rising Sun borrows source code from Duuzer, a trojan affiliated with the reputed North Korean threat actor known as Lazarus Group.
Duuzer was used to target South Korea and Japan back in 2015, but no variants have since been observed – only adding to the mystery.
Rising Sun and Duuzer not only share much of the same functionality, but they also both randomize characters in their library names and also use a dynamic API resolution technique that’s also been seen in other previous Lazarus implants. And that’s not the only connection with Lazarus and North Korea: Operation Sharpshooter also shares many of the same tactics, techniques and procedures as a similar 2017 Lazarus campaign targeting the U.S. defense and energy industries. Moreover, its phishing documents, although written in English, were created in a Korean-language environment.
Despite this forensic evidence, McAfee refrained from attributing Operation Sharpshooter to Lazarus, suggesting that it’s possible the clues could have been planted.
“Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags,” wrote blog post authors Ryan Sherstobitoff, senior analyst for major campaigns, and security researcher Asheer Malhotra.
The phishing operation commenced on Oct. 25 with a series of emails – sent by a U.S.-based IP address and via the Dropbox service – that featured attached Microsoft Word documents containing job description titles for supposedly open positions at unknown companies.
“The documents contained a malicious macro that leveraged embedded shellcode to inject the Sharpshooter downloader into the memory of Word,” the McAfee report explains. “Once the Word process was infected, the downloader retrieved the second-stage implant Rising Sun.”