The company said the campaign used an in-memory implant to download and retrieve a second-stage implant to continue the exploitation process. The latter implant has been given the name Rising Sun and uses source code from a backdoor named Trojan Duuzer used by the Lazarus Group in 2015.
But McAfee said the presence of this source code did not mean that the new campaign also originated from the Lazarus Group, and refused to make any attribution.
The company said in October and November the Rising Sun implant had appeared in 87 companies across the globe, mostly in the US, based on its own telemetry. Most of the targeted firms used English as their main language or else had a regional office where this was the case.
A map showing the industries targeted in different countries. A larger version is here.
The second-stage implant, Rising Sun, was then downloaded from a website in Singapore and it, in turn, pulled down a binary to the startup folder on the infected Windows machine. After this, the implant and the decoy documents both executed their payloads.
Another document sent by the same author was a PDF containing questions about smartphone use and posing as some kind of survey from a big data analytics company.
The Rising Sun implant was a fully functional modular backdoor that would carry out reconnaissance and send the following information to a command and control server:
- Network card information
- Computer name
- User name
- IP address information
- Native system information
- OS product name from registry: SOFTWARE\MICROSOFT\Windows NT\CurrentVersion | ProductName
The implant carried out data encryption and exfiltration using the following steps:
Once the data has been gathered from the endpoint, the implant encrypts it using the RC4 stream encryption algorithm.
After the data has been encrypted, the implant performed another layer of obfuscation of the data by Base64-encoding the RC4 encrypted data.
The data was then sent to the C&C server.
"Operation Sharpshooter’s similarities to Lazarus Group malware are striking, but that does not ensure attribution," McAfee said. "Was this attack just a first-stage reconnaissance operation, or will there be more? We will continue to monitor this campaign and will report further when we or others in the security industry receive more information.
"The McAfee Advanced Threat Research team encourages our peers to share their insights and attribution of who is responsible for Operation Sharpshooter."
Graphic: courtesy McAfee