Starting on October 25th, Operation Sharpshooter has targeted nuclear, defense, energy, and financial companies. The campaign started through malicious Dropbox documents and has now been seen in 87 organizations around the world. The underlying assault vector is a record that contains a weaponized macro. Once downloaded, it places installed shellcode into the memory of Microsoft Word, which goes about as a straightforward downloader into the second stage. This next stage keeps running in memory and accumulates insight. A control server is used by attackers to determine what they will do next and it is believed this could be a reconnaissance effort for a bigger campaign in the future. The second stage is called Rising Sun and it utilizes source code from the Duuzer malware first utilized in a 2015 Duuzer. It is intended to work with 32-bit and 64-bit Windows adaptations, by opening a secondary passage through which actors can assemble framework data. In this circumstance, Rising Sun accumulates and encodes information from the person in question, and gathers information such as PC name, IP address information, local framework data, among other information. Techniques used in this campaign are similar to those used by the Lazarus Group, but researchers think it could be a false flag to take the heat off another group that is behind the attacks. “Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags,” said researchers.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is