‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure
Contents
This post was written with contributions from the McAfee Advanced Threat Research team.
The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.
Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.
Read our …
The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.
Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.
Read our …
IoC
137.74.41.56
208.117.44.112
31e79093d452426247a56ca0eff860b0ecc86009
34.214.99.20
66776c50bcc79bbcecdbe99960e6ee39c8a31181
668b0df94c6d12ae86711ce24ce79dbe0ee2d463
8106a30bd35526bded384627d8eebce15da35d17
9b0f22e129c73ce4c21be4122182f6dcbc351c95
208.117.44.112
31e79093d452426247a56ca0eff860b0ecc86009
34.214.99.20
66776c50bcc79bbcecdbe99960e6ee39c8a31181
668b0df94c6d12ae86711ce24ce79dbe0ee2d463
8106a30bd35526bded384627d8eebce15da35d17
9b0f22e129c73ce4c21be4122182f6dcbc351c95