Security Market Segment LS
Friday, 14 December 2018 10:47

McAfee finds threat targeting nuclear, defence and energy sectors


Researchers at the security firm McAfee claim to have found a new threat to companies dealing in the nuclear, defence, energy and financial sectors, which they have named Operation Sharpshooter. It works only on Windows.

The company said the campaign used an in-memory implant to download and retrieve a second-stage implant to continue the exploitation process. The latter implant has been given the name Rising Sun and uses source code from a backdoor named Trojan Duuzer used by the Lazarus Group in 2015.

But McAfee said the presence of this source code did not mean that the new campaign also originated from the Lazarus Group, and refused to make any attribution.

The company said in October and November the Rising Sun implant had appeared in 87 companies across the globe, mostly in the US, based on its own telemetry. Most of the targeted firms used English as their main language or else had a regional office where this was the case.

The initial infection came through Microsoft Word documents which contained Korean language metadata, indicating that they had been created using a Korean version of the software. The documents were seeking personnel for positions at unknown companies and contained a malicious macro that used embedded shellcode to inject a download into the memory of the application.

map sharpshooter

A map showing the industries targeted in different countries. A larger version is here.

The second-stage implant, Rising Sun, was then downloaded from a website in Singapore and it, in turn, pulled down a binary to the startup folder on the infected Windows machine. After this, the implant and the decoy documents both executed their payloads.

Another document sent by the same author was a PDF containing questions about smartphone use and posing as some kind of survey from a big data analytics company.

The Rising Sun implant was a fully functional modular backdoor that would carry out reconnaissance and send the following information to a command and control server:

  • Network card information
  • Computer name
  • User name
  • IP address information
  • Native system information
  • OS product name from registry: SOFTWARE\MICROSOFT\Windows NT\CurrentVersion | ProductName

The implant carried out data encryption and exfiltration using the following steps:

Once the data has been gathered from the endpoint, the implant encrypts it using the RC4 stream encryption algorithm.

After the data has been encrypted, the implant performed another layer of obfuscation of the data by Base64-encoding the RC4 encrypted data.

The data was then sent to the C&C server.

"Operation Sharpshooter’s similarities to Lazarus Group malware are striking, but that does not ensure attribution," McAfee said. "Was this attack just a first-stage reconnaissance operation, or will there be more? We will continue to monitor this campaign and will report further when we or others in the security industry receive more information.

"The McAfee Advanced Threat Research team encourages our peers to share their insights and attribution of who is responsible for Operation Sharpshooter."

Graphic: courtesy McAfee


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments