Rising Sun Backdoor Malware Launches With Operation Sharpshooter

What Is It?

Researchers at McAfee have released a report into a new Advanced Persistent Threat (APT) campaign they have named Operation Sharpshooter, which uses a cyber espionage payload they named Rising Sun.

The Rising Sun backdoor uses the RC4 cipher to encrypt its configuration data and communications. As with most backdoors, on initial infection, Rising Sun will send data regarding the infected system to a command and control (C2) site. That information captures computer and user name, IP address, operating system version and network adapter information. Rising Sun contains 14 functions  including executing commands, obtaining information on disk drives and running processes, terminating processes, obtaining file creation and last access times, reading and writing files, deleting files, altering file attributes, clearing the memory of processes and connecting to a specified IP address.

The researchers stated that during October and November of 2018, 87 organizations in 24 countries were infected (although the majority were based in the U.S.). Targeted organizations include defense and government-related, as well as financial, energy, telecommunications and healthcare industries.

The campaign began on October 25, 2018 with links to malicious documents, hosted on Dropbox, sent to targeted organizations via social media. These documents claim to be job descriptions for positions at unknown companies. The documents contain data appear to be created using Korean language versions of Microsoft Word. The documents contain malicious macros that execute shellcode. This shellcode then downloads both a benign decoy document and Rising Sun.

McAfee researchers found similarities between the code of Rising Sun and that of Duuzer, a previous cyber espionage backdoor that has been attributed to the Lazarus APT group (aka Hidden Cobra). They also found indicators potentially pointing toward Lazarus. However, they make no determination of attribution, as they state it is also potentially an attempted false flag operation aimed at placing the blame on Lazarus.

How Does It Propagate?

The Rising Sun malware does not contain the necessary code to self-propagate. The attack vector in this case is embedded in malicious Word documents containing macros which download the malicious payload. It is believed that targeted individuals were sent messages on social media containing links to the Word documents, claiming to be work recruitment campaigns.

When/How Did BluVector Detect It?

Five samples are listed in the McAfee report and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown these samples would have been detected an average of 43 months prior to their release.

All Threat Reports