• Just between October to November, the campaign targeted 87 organizations across 24 countries.
  • The threat actors used a new implant framework called Rising Sun, likely based on the backdoor Duuzer, used in the infamous Sony Pictures hack in 2014.

In the last few weeks, many government departments and numerous private companies in the defense, telecom, energy, and financial sectors have been in the crosshairs of a global hacking operation.

Threat researchers at McAfee, who monitored the campaign, named it “Operation SharpShooter”. Just in the period of two months, between October to November, the campaign targeted 87 organizations across 24 countries. The main aim of the operation appears to be to gather intelligence.

Though the victims belong primarily to the US, organizations in South America, Europe, the Middle East, India, Australia, and Japan, among others, have also been hit. Moreover, most of the affected organizations are English-speaking.

According to the researchers, the operation started on October 25, using a series of phishing emails designed to look like recruitment emails, which were sent to numerous targets. All the Microsoft Word attachments had a common author name - Richard. They contained seemingly legitimate job descriptions from various companies.

The documents were embedded with macros, meant to gather information for potential exploits. The macros injected a downloader into Microsoft Word memory using embedded shellcode. The downloader then implanted the second stage of the campaign, called Rising Sun.

The new implant framework, Rising Sun, is based on the 2015 backdoor Duuzer. This is the first reported variant since Duuzer first appeared. This new variant has a modular design. It can provide reconnaissance support by snooping machine-level information like documents, usernames, network configuration, and system settings. Rising Sun is also capable of sending this information to its designated command and control (C2) server. The malware is also capable of clearing its tracks by clearing memory and deleting its activities.

The Duuzer backdoor, which shares similarities with the Rising Sun, was used by the Lazarus group in the now infamous 2014 Sony hack. US authorities attributed the attack to hackers based in North Korea.

According to McAfee, the similarities between Rising Sun and Duuzer suggest that Lazarus or hackers linked to the North Korean hacker group could be behind Operation Sharpshooter. However, it could also be a purposeful decoy to create a false narrative.

“Regardless of the security solution being used, organizations should update their systems. Equally, organizations may want to run the IoCs in their environments,” Raj Samani, chief scientist and fellow at McAfee, told ZDNet.

Regardless of the identity of the threat actors, it is likely that Operation Sharpshooter may just be beginning. Organizations need to take active precautions to stay safe from attacks.

Cyware Publisher