Security Market Segment LS
Friday, 14 December 2018 10:47

McAfee finds threat targeting nuclear, defence and energy sectors


Researchers at the security firm McAfee claim to have found a new threat to companies dealing in the nuclear, defence, energy and financial sectors, which they have named Operation Sharpshooter. It works only on Windows.

The company said the campaign used an in-memory implant to download and retrieve a second-stage implant to continue the exploitation process. The latter implant has been given the name Rising Sun and uses source code from a backdoor named Trojan Duuzer used by the Lazarus Group in 2015.

But McAfee said the presence of this source code did not mean that the new campaign also originated from the Lazarus Group, and refused to make any attribution.

The company said in October and November the Rising Sun implant had appeared in 87 companies across the globe, mostly in the US, based on its own telemetry. Most of the targeted firms used English as their main language or else had a regional office where this was the case.

The initial infection came through Microsoft Word documents which contained Korean language metadata, indicating that they had been created using a Korean version of the software. The documents were seeking personnel for positions at unknown companies and contained a malicious macro that used embedded shellcode to inject a download into the memory of the application.

map sharpshooter

A map showing the industries targeted in different countries. A larger version is here.

The second-stage implant, Rising Sun, was then downloaded from a website in Singapore and it, in turn, pulled down a binary to the startup folder on the infected Windows machine. After this, the implant and the decoy documents both executed their payloads.

Another document sent by the same author was a PDF containing questions about smartphone use and posing as some kind of survey from a big data analytics company.

The Rising Sun implant was a fully functional modular backdoor that would carry out reconnaissance and send the following information to a command and control server:

  • Network card information
  • Computer name
  • User name
  • IP address information
  • Native system information
  • OS product name from registry: SOFTWARE\MICROSOFT\Windows NT\CurrentVersion | ProductName

The implant carried out data encryption and exfiltration using the following steps:

Once the data has been gathered from the endpoint, the implant encrypts it using the RC4 stream encryption algorithm.

After the data has been encrypted, the implant performed another layer of obfuscation of the data by Base64-encoding the RC4 encrypted data.

The data was then sent to the C&C server.

"Operation Sharpshooter’s similarities to Lazarus Group malware are striking, but that does not ensure attribution," McAfee said. "Was this attack just a first-stage reconnaissance operation, or will there be more? We will continue to monitor this campaign and will report further when we or others in the security industry receive more information.

"The McAfee Advanced Threat Research team encourages our peers to share their insights and attribution of who is responsible for Operation Sharpshooter."

Graphic: courtesy McAfee


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments