Sharpshooter Implant Spies on Major Global Industries

The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered an advanced reconnaissance campaign targeting nuclear, defense, energy, and financial sectors worldwide. Dubbed “Operation Sharpshooter,” the campaign surfaced in October this year, affecting over 87 organizations, most of them English-speaking. The malware spread through what appeared to be a legitimate job recruitment Microsoft Word document hosted on Dropbox. Once opened, a malicious macro in the document executes shellcode to insert the Sharpshooter downloader into Word’s memory. The downloader contacts its control server and downloads two files: a second-stage, persistent payload known as Rising Sun in %Startup%\mssync.exe, and a decoy Word document. McAfee details fourteen capabilities of the backdoor, including command execution; process launching and termination; file reading, writing, and deletion; connection to an IP; memory clearing; and other information gathering techniques. Data is exfiltrated back to the control server through HTTP POST requests, making it harder for humans or intrusion detection systems to identify. Many similarities to the 2015 backdoor, Duuzer, indicate Rising Sun may be affiliated with the Lazarus Group, but this is not yet confirmed. The NJCCIC highly discourages all users from enabling macros in documents that come in unexpected or unsolicited emails; exercise caution when choosing to enable macros in documents that come with emails from known senders; and keep anti-virus/anti-malware, hardware, and software up-to-date. More information and indicators-of-compromise (IOCs) are detailed in McAfee’s blog post.

AlertNJCCICMicrosoft, Campaign