Home Security McAfee finds threat targeting nuclear, defence and energy sectors

Researchers at the security firm McAfee claim to have found a new threat companies dealing in the nuclear, defence, energy and financial sectors, which they have named Operation Sharpshooter. It works only on Windows.

The company said the campaign used an in-memory implant to download and retrieve a second-stage implant to continue the exploitation process. The latter implant has been given the name Rising Sun and uses source code from a backdoor named Trojan Duuzer used by the Lazarus Group in 2015.

But McAfee said the presence of this source code did not mean that the new campaign also originated from the Lazarus Group, and refused to make any attribution.

The company said in October and November the Rising Sun implant had appeared in 87 companies across the globe, mostly in the US, based on its own telemetry. Most of the targeted firms used English as their main language or else had a regional office where this was the case.

The initial infection came through Microsoft Word documents which contained Korean language metadata, indicating that they had been created using a Korean version of the software. The documents were seeking personnel for positions at unknown companies and contained a malicious macro that used embedded shellcode to inject a download into the memory of the application.

map sharpshooter

A map showing the industries targeted in different countries. A larger version is here.

The second-stage implant, Rising Sun, was then downloaded from a website in Singapore and it, in turn, pulled down a binary to the startup folder on the infected Windows machine. After this, the implant and the decoy documents both executed their payloads.

Another document sent by the same author was a PDF containing questions about smartphone use and posing as some kind of survey from a big data analytics company.

The Rising Sun implant was a fully functional modular backdoor that would carry out reconnaissance and send the following information to a command and control server:

  • Network card information
  • Computer name
  • User name
  • IP address information
  • Native system information
  • OS product name from registry: SOFTWARE\MICROSOFT\Windows NT\CurrentVersion | ProductName

The implant carried out data encryption and exfiltration using the following steps:

Once the data has been gathered from the endpoint, the implant encrypts it using the RC4 stream encryption algorithm.

After the data has been encrypted, the implant performed another layer of obfuscation of the data by Base64-encoding the RC4 encrypted data.

The data was then sent to the C&C server.

"Operation Sharpshooter’s similarities to Lazarus Group malware are striking, but that does not ensure attribution," McAfee said. "Was this attack just a first-stage reconnaissance operation, or will there be more? We will continue to monitor this campaign and will report further when we or others in the security industry receive more information.

"The McAfee Advanced Threat Research team encourages our peers to share their insights and attribution of who is responsible for Operation Sharpshooter."

Graphic: courtesy McAfee

REASON TO CHOOSE TENDA MESH WIFI

Our Mesh WiFi system MW3 is the first in Australia market with price below AUD$200 for a set of three.

· Best valued product
· Strong signal covering up to 300m2 for MW3 and 500m2 for MW6
· Aesthetically pleasing and light weigh (blend into any room deco)
· Wireline backhauls supported
· Product units are pre-paired and easy to setup
· Not requiring phone number or email address to set up
· Wall penetration (better than other similar brands)
· Seamless WiFi roaming
· User friendly app with controls to setup a guest network, parental controls for disabling groups of devices you allocate to individuals, QoS and more

CLICK FOR MORE INFO!

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

 

Popular News

 

Telecommunications

 

Sponsored News

 

 

 

 

Connect