Malware campaign “Operation Sharpshooter” aims for UK fintech
If life in general wasn’t bad enough a new global malware campaign targeting nuclear, defence, energy, and financial companies has been discovered.
Thanks to the heroics of the McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group we now know what’s coming.
McAfee says this campaign, “Operation Sharpshooter”, uses an in-memory implant to download and retrieve a second-stage implant – which it calls “Rising Sun” – for further exploitation.
Raj Samani, chief scientist and fellow at McAfee, comments: “Despite its sophistication, this campaign depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be easily mitigated. Businesses must find the right combination of people, process and technology to effectively protect themselves from the original attack, detect the threat as it appears and, if targeted, rapidly correct systems.”
According to its analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.
Operation Sharpshooter’s numerous technical links to the Lazarus Group seem “too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags”.
McAfee’s research focuses on how this actor operates, the global impact, and how to detect the attack. It coolly says: “We shall leave attribution to the broader security community.”
This campaign, while masquerading as legitimate industry job recruitment activity, gathers information to monitor for potential exploitation. Its analysis also indicates similar techniques associated with other job recruitment campaigns.
In October and November 2018, the Rising Sun implant appeared in 87 organisations across the globe, predominantly in the US, based on McAfee telemetry and its analysis.
Based on other campaigns with similar behaviour, most of the targeted organisations are English speaking or have an English-speaking regional office.
While fintech is in danger and no one should relax, McAfee has observed that the majority of targets were defence and government-related organisations.
The malware moves in several steps. The initial attack vector is a document that contains a weaponised macro to download the next stage, which runs in memory and gathers intelligence. The victim’s data is sent to a control server for monitoring by the actors, who then determine the next steps.
McAfee has not previously observed this implant. It will continue to monitor this campaign and will report further when it or others in the security industry receive more information.
By the way, the two links in this story are safe. They go to relevant reports on this site.