Lazarus threat actor group behind the ‘Sharpshooter’ campaign

• Researchers' analysis resulted in more evidence linking the Sharpshooter campaign to North Korea’s Lazarus threat actor group.
• The Rising Sun implant that was observed in attacks before the Sharpshooter campaign shared the TTPs and methods used in the attacks attributed to the Lazarus group.

Worth noting - Researchers analyzed code from a C&C server used in the ‘Sharpshooter’ cyber-espionage campaign and found more evidence linking it to the Lazarus threat actor group.

The big picture

Lazarus threat group has used the ExpressVPN service in order to hide their location. This service showed connections to a web shell on a compromised server coming from two IP addresses in London. However, the IP addresses are not a reliable source to find the attackers location.

The group’s connection with the Sharpshooter campaign was obvious by inspecting the tools, strategies, and methods already linked to the Lazarus threat actor. For instance, the Rising Sun implant that was observed in attacks before the Sharpshooter campaign shared the TTPs and methods used in the attacks attributed to the Lazarus group.

This indicated that the Rising Sun implant was based on the original backdoor Duuzer's source code that was used by Lazarus.

More details on the analysis

Ryan Sherstobitoff and Asheer Malhotra from McAfee, along with McAfee’s Advanced Threat Research Team analyzed the code from the C&C server and detected new variants of the Rising Sun backdoor that has been used since 2016.

Researchers further examined the C&C server information and got a clear picture of the threat actor group’s operations and tools. This helped them to further detect new tools and malicious activities from the threat actor.

Researchers were also able to detect a set of unobfuscated connections from IP addresses in Windhoek, a city in Namibia, Africa. This implies that Lazarus threat group could have used the region as a test zone or the threat group runs the operation from those locations, or it could also be a false flag to redirect the researchers on the wrong path.

“When 'Sharpshooter' was first discovered, it was believed that the operation started in October 2018. However, a log file on the server indicates that the C2 framework has been active since at least September 2017, and probably "hosted on different servers over time,” BleepingComputer said in a blog.