Operation Sharpshooter  (Back to overview)

The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries. Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.

---

Associated Families

---

References

2022-03-31 ⋅ APNIC ⋅ Debashis Pal @online{pal:20220331:how:c5195a9, author = {Debashis Pal}, title = {{How to: Detect and prevent common data exfiltration attacks}}, date = {2022-03-31}, organization = {APNIC}, url = {https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/}, language = {English}, urldate = {2022-05-05} } How to: Detect and prevent common data exfiltration attacks Agent Tesla DNSMessenger PingBack Rising Sun

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center @techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019 Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2019-03-03 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20190303:op:89fdbdd, author = {Ionut Ilascu}, title = {{Op 'Sharpshooter' Connected to North Korea's Lazarus Group}}, date = {2019-03-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/op-sharpshooter-connected-to-north-koreas-lazarus-group/}, language = {English}, urldate = {2019-12-20} } Op 'Sharpshooter' Connected to North Korea's Lazarus Group Operation Sharpshooter

2018-12-12 ⋅ McAfee ⋅ Ryan Sherstobitoff, Asheer Malhotra @techreport{sherstobitoff:20181212:operation:f8b490f, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf}, language = {English}, urldate = {2019-12-18} } Operation Sharpshooter: Campaign Targets Global Defense, Critical Infrastructure Rising Sun

2018-12-12 ⋅ McAfee ⋅ Ryan Sherstobitoff, Asheer Malhotra @online{sherstobitoff:20181212:operation:df0b2d2, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/}, language = {English}, urldate = {2020-01-13} } ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure Rising Sun Lazarus Group Operation Sharpshooter

---

Credits: MISP Project