Delaware, USA – December 13, 2018 – ‘Operation Sharpshooter’ cyber espionage campaign has been active for two months targeting at least 87 organizations in 24 countries. It is still unknown who is the threat actor behind this campaign. Attackers use techniques, tactics and procedures of the Lazarus group, but researchers from McAfee assume that all of them could be false flags to throw cybersecurity experts off the scent. Operation Sharpshooter targets nuclear, defense, energy and financial companies predominantly in the United States. Also, researchers discovered the high-function implant used in this campaign in South America, Europe, the Middle East, India, Australia, Japan and several other countries.
The operation started at the end of October when attackers sent the first wave of phishing emails. The malicious documents contain a macro that injects a downloader for the first-stage malware (Sharpshooter) into the memory of Word, which downloads and implants Rising Sun malware. The final payload shares code and configuration data with Duuzer trojan used by Lazarus group in the Sony hack. This modular backdoor performs reconnaissance sending to a C&C server gathered information including usernames, network configuration and system settings. It is also capable of executing commands and downloading additional malware.
At the moment, researchers don’t know if the attackers will use the collected information to start the next phase of the campaign or will continue reconnaissance activity. New APT groups are actively emerging, so organizations and government entities need advanced tools to detect malicious actions. APT Framework adds sophistication to your existing tools by leveraging the Lockheed Martin Cyber kill chain to connect the dots between low-level SIEM incidents and link them to high-confidence compromises.