Nigel Hawthorn, data privacy expert, McAfee

McAfee researchers have uncovered a new malware campaign targeting financial organisations in the UK, as well as government, defence, nuclear and energy organisations across the globe. Dubbed “Operation Sharpshooter”, it hit close to 100 organisations in 24 countries in just a few weeks (October – November 2018).

After gaining access through a phishing email masquerading as a recruitment message, Sharpshooter leverages the Rising Sun implant – a fully functional, modular backdoor that performs reconnaissance on victims’ network. Attackers get access to machine level info, including documents, usernames, network configuration and system settings.

Operation Sharpshooter has numerous technical links to the notorious Lazarus Group, but these are too obvious to immediately draw the conclusion that they are responsible, indicating potential false flags. Rising Sun is also an evolution of the backdoor Trojan Duuzer used in the Sony attacks.

The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defence, energy, and financial companies, based on McAfee Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which they call Rising Sun—for further exploitation. According to McAfee’s analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.

Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Their research focuses on how this actor operates, the global impact, and how to detect the attack.

Read the full analysis of Operation Sharpshooter.

This campaign, while masquerading as legitimate industry job recruitment activity, gathers information to monitor for potential exploitation. McAfee’s analysis also indicates similar techniques associated with other job recruitment campaigns.

In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and their analysis. Based on other campaigns with similar behaviour, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organisations that manage data related to the industries of interest. The McAfee Advanced Threat Research team has observed that the majority of the targets were defence and government-related organizations.

The malware moves in several steps. The initial attack vector is a document that contains a weaponized macro to download the next stage, which runs in memory and gathers intelligence. The victim’s data is sent to a control server for monitoring by the actors, who then determine the next steps.

This is a new implant. Multiple victims from different industry sectors around the world have reported these indicators.

Raj Samani, Chief Scientist and Fellow at McAfee said: “Operation Sharpshooter is yet another example of a sophisticated, targeted attack being used to gain intelligence for malicious actors.

 However, despite its sophistication, this campaign depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be easily mitigated. Businesses must find the right combination of people, process and technology to effectively protect themselves from the original attack, detect the threat as it appears and, if targeted, rapidly correct systems.”

Nigel Hawthorn, data privacy expert, McAfee said: “The financial industry is extremely well-regulated, and the likes of FCA regulations and GDPR have necessitated financial institutions to be more secure and transparent with their data, both in the cloud and on-premise. However, targeted, sophisticated campaigns such as Operation Sharpshooter demonstrate that cyber-threats are still ever-present, and financial organisations are prime targets.

However, despite its sophistication, this campaign depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be mitigated. Financial institutions must find the right combination of people, process and technology to effectively protect themselves from the original attack, detect the threat as it appears and if targeted, rapidly correct systems. With the prospect of fines from the FCA or ICO looming as the result of a data breach, the stakes have never been higher.”

by Bill Boyle
IBS Intelligence Senior Editor
imp-loader
preloader