Security researchers have discovered a major targeted attack campaign aimed at stealing info from scores of mainly English-speaking organizations around the world and using source code from the infamous Lazarus Group.
What McAfee has dubbed “Operation Sharpshooter” targets government, defence, nuclear, energy and financial organizations, mainly in the US but also the UK, Canada, Australia, New Zealand, Russia, India and elsewhere.
Some 87 organizations have so far been found to be infected with the Rising Sun implant, a modular backdoor which allows the attackers to perform reconnaissance by accessing sensitive information including documents, usernames, network configuration and system settings.
Although not previously seen, the implant draws on source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer, used in the notorious attack on Sony Pictures Entertainment. However, McAfee is not attributing the campaign to North Korea — in fact, the “numerous technical links” to the group raise the possibility that this is a false flag, it claimed.
The initial attack vector is fairly standard: a weaponized macro-based document which, when opened, runs an in-memory implant to download and retrieve the second-stage Rising Sun malware.
Any data of interest is encrypted and sent back to the C&C server. It’s unclear whether the operation will stop at reconnaissance or if this is just the first stage in a multi-layered sophisticated campaign.
“Operation Sharpshooter is yet another example of a sophisticated, targeted attack being used to gain intelligence for malicious actors,” argued McAfee chief scientist and fellow, Raj Samani.
“However, despite its sophistication, this campaign depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be easily mitigated. Businesses must find the right combination of people, process and technology to effectively protect themselves from the original attack, detect the threat as it appears and, if targeted, rapidly correct systems.”