Mon, Apr 22 2019, 2:05 pm

Operation Sharpshooter targets critical infrastructure: McAfee

By Digital Edge Bureau, 13.12.2018, 01:14
 
Shooter_1

Operation Sharpshooter targets nuclear, defense, and energy installations including banking & financial institutions

In a new development, McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to McAfee’s analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.

Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.

This campaign, while masquerading as legitimate industry job recruitment activity, gathers information to monitor for potential exploitation. Our analysis also indicates similar techniques associated with other job recruitment campaigns.

In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and our analysis. Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest. The McAfee Advanced Threat Research team has observed that the majority of targets were defense and government-related organizations.

The malware moves in several steps. The initial attack vector is a document that contains a weaponized macro to download the next stage, which runs in memory and gathers intelligence. The victim’s data is sent to a control server for monitoring by the actors, who then determine the next steps.

0 comments

Add your comment

Nickname:
E-mail:
Website:
Comment:


9 − = five

Other articlesgo to homepage

Security-as-code would define SW development: Trend Micro

Security-as-code would define SW development: Trend Micro(0)

At the recently held CLOUDSEC India 2018, hosted by Trend Micro, it has been highlighted that security-as-code and security automation would define the future of cybersecurity. These two trends are in line with application development in the cloud computing era. By moving security into the early stages of the development lifecycle – or implementing DevSecOps,

Kaspersky Lab ties up with Huawei for securing cloud

Kaspersky Lab ties up with Huawei for securing cloud(0)

Russia’s Kaspersky Lab and China’s Huawei have agreed to work together in the field of cloud security at the recently held  HUAWEI CONNECT 2018 in Shanghai, China. The cooperation will seamlessly integrate Kaspersky Lab’s security solutions with Huawei’s cloud computing solution, delivering a more comprehensive approach to security and building a more secure ecosystem while

Quick Heal offers extra months validity during festivities

Quick Heal offers extra months validity during festivities(0)

Gingering up the cheer to the upcoming festive season, Quick Heal Technologies has announced the launch of the Quick Heal Total Security Festive Pack. The festive pack gives Quick Heal customers four extra months of validity at no additional cost if activated on festive days. The days during which the offer can be availed— on

Security analytics firm Skybox ties up with RAH Infotech

Security analytics firm Skybox ties up with RAH Infotech(0)

In a significant development, Skybox Security, world’s leading provider of security intelligence & analytics software, has struck a national distribution tie-up with Gurgaon-headquartered RAH Infotech, which has emerged as one of India’s fastest growing value added distributors (VADs) specializing in the fields of networking and security products. The formal distribution partnership has been solemnized between

Quick Heal detects over 180 million Windows threats in Q2 18

Quick Heal detects over 180 million Windows threats in Q2 18(0)

That the global threat landscape is growing and evolving at a rapid pace is no secret. Rapid digitisation, in the absence of appropriate cybersecurity measures, has also made users and businesses across India more vulnerable to emerging threats. It is to draw attention to this massive risk leading IT security solutions provider Quick Heal Technologies

read more
banner









Contacts and information

New Delhi (India)

Social networks

Most popular categories