Researchers have detected a widespread reconnaissance campaign using a never-before-seen implant framework to infiltrate global defense and critical infrastructure players — including nuclear, defense, energy and financial companies.
The campaign, dubbed Operation Sharpshooter, began Oct. 25 when a splay of malicious documents were sent via Dropbox. The campaign’s implant has since appeared in 87 organizations worldwide, predominantly (about 50 percent of attacks) in the U.S. and in other English-speaking companies.
“Our discovery of a new, high-function implant is another example of how targeted attacks attempt to gain intelligence,” said Ryan Sherstobitoff and Asheer Malhotrawith of McAfee, in a Wednesday analysis.
They added that the malware takes several steps to unfold. The initial attack vector is a document that contains a weaponized macro. Once downloaded, it places embedded shellcode into the memory of Microsoft Word, which acts as a simple downloader for a second-stage implant. This next stage runs in memory and gathers intelligence.
“The victim’s data is sent to a control server for monitoring by the actors, who then determine the next steps,” the researchers said. They added that this could be a recon effort for a larger campaign down the road.
The documents, which contained English-language job descriptions for positions “at unknown companies,” were loaded with Korean-language metadata – indicating that they were created with a Korean version of Microsoft Word.
That second-stage implant is a fully modular backdoor dubbed Rising Sun that performs reconnaissance on the victim’s network, according to the research.
Notably, Rising Sun uses source code from the Duuzer backdoor, malware first used in a 2015 campaign targeting the data of South Korean organizations, mainly in manufacturing. Duuzer, which is designed to work with 32-bit and 64-bit Windows versions, opens a back door through which bad actors can gather system information.
In this situation, the Rising Sun implant gathers and encrypts data from the victim, and fetches the victim devices’ computer name, IP address data, native system information and more.
While the second-stage implant is downloading, the control server also downloads another OLE document which researchers say is “probably benign, used as a decoy to hide the malicious content.”
Due to this trick, victims “would not be aware unless they were security savy, the actor took the extra steps to ensure this,” Sherstobitoff told Threatpost.
Lazarus False Attribution
Researchers noted several characteristics of the campaign that linked it to the Lazarus Group, but suspected that the clues were purposefully planted as false flags to connect the two.
For instance, Rising Sun is similar to the Lazarus Group’s Duuzer implant – however, the two have key differences, including their communication methods, the command codes used and their encryption schemes.
“Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags,” researchers said. “Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.”