- Researchers spotted a new global campaign dubbed Operation Sharpshooter targeting nuclear, defence, energy, and financial organizations.
- The new campaign was discovered by security researchers at McAfee.
- The campaign began on October 25 and has already infected 87 organizations across the globe.
- The victims were targeted with phishing email disguised as recruitment emails containing the malicious document.
The new campaign was discovered security researchers at McAfee and said that the goal of the operation is to gather information for more potential exploration
The campaign began on October 25 and has already hit 87 organizations across the globe.
According to the analysis victims affected are predominantly in the United States and are organizations with English speaking or have an English-speaking regional office. The majority of the targets were defence and government-related companies.
The organisations in Europe, South America, the Middle East, India, Australia and Japan were also targeted in the campaign.
Researchers also noted that the campaign has numerous technical links similar to Lazarus APT Group but it is yet to be confirmed who is behind the attack.
“Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags”.
A series Phishing emails disguised as job vacancy emails were sent to the targets. The emails contain malicious documents with author name as Richard.
All the malicious documents contain English language job description and job title from unknown companies shared via dropbox through an unknown IP in the United States.
The documents contain a malicious macro which leverages embedded shellcode to inject the Sharpshooter downloader into the memory of Word. In the next step, it downloads second-stage implant Rising Sun.
Rising Sun implant is a modular backdoor that performs reconnaissance on the target’s network. The malware is capable of executing commands, launch process, terminate process, clear process memory, delete or read a file.
The implant also collects information such as Network adapter info, PC name, Username, IP address, Native system information, OS product name from the registry and sent it to the control server.
The researchers also observed Rising Sun shares many similarities with Duuzer malware which was used in the Sony attack.
For more details, you can visit the analysis published by McAfee researchers here
You may be interested in reading:Marriott Data Breach Exposed Personal Data of 500 million Guests