Operation Sharpshooter- a new scam campaign hits global infrastructure

A new malware campaign whose distributers claims them to be a recruit person has impacted multiple organizations including nuclear energy, defense, finance, telecommunications, health care and other sectors. The McAfee Advanced Threat Research team and McAfee Labs Malware Operation Group have discovered this and named it as “Operation Sharpshooter”.

The Operation Sharpshooter- deep analysis

Operation Sharpshooter is a global email scam campaign targeting various industries masquerading as a job recruitment activity. McAfee security team was the first who revealed this global email scam campaign that targets nuclear, defense, energy and other financial companies.

The Operation sharpshooter actors send these emails. These emails have attached Word document with weaponized macros. Recipients are coercing into believing that the emails are coming from genuine source (legitimate senders’ address). However, once clicked on the Word document for downloading, automatically a shell code starts running that inject Sharpshooter downloader into the memory of word.

The sharpshooter downloader further downloads two files:

  • Rising Sun- a payload that collects confidential data
  • OLE- a word document

The payload downloaded to startup folder to ensure persistence of the system whereas the OLE document downloaded to %LOCALLAPPDATA% which is used to tempt the malicious content.

The implant collects personal details including IP address, logins, usernames, as well as crucial system containing information such as Network adaptor Computer name, OS product name. Following to gathering information, it encrypts the stored data with RC4 algorithm. The Rising Sun implant has following 14 backdoor capabilities

  • Connect to an IP address
  • Change file attributes
  • Variant of change file attributes
  • Terminate process
  • Read file
  • Execute commands
  • Get drive information
  • Launch process from Windows binary
  • Get processes information
  • Get additional file information for files in a directory
  • Get file times
  • Clear process memory
  • Write file to disk
  • Delete file

 “Between October and November, this implant appears in 87 organizations around the world and mostly in US.” McAfee stated.

Lazarus Group seem to be responsible for this campaign

Advanced threat researchers analyze the sharpshooter operation and come to a conclusion that this campaign has the too many similarities with other campaigns created by Lazarus Group.

The McAfee team states in their post:

“Operation Sharpshooter’s numerous technical links to the Lazarus Group seems too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags.”