Canadian natural gas and telecom firms are among critical infrastructure organizations around the world that have been targeted by a job recruitment scam attempting to plant malware, McAfee researchers said today.
The security vendor, which dubs the campaign Operation Sharpshooter, said that so far nuclear, defense, energy, and financial companies have received email with poisoned documents likely aimed at gathering intelligence. The strategy leverages an in-memory implant to download and retrieve a second-stage implant—which McAfee calls Rising Sun—for further exploitation.
“In October and November the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States,” McAfee’s customer data has shown. “This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest.”
In addition to Canada and the U.S., the campaign has been directed at firms in Australia, Israel, France, Germany, Japan, Russia, the U.K., Iran, Spain, Egypt and others.
Researchers said the Rising Sun implant uses source code from the North Korean-based Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework. According to Kaspersky, the Lazarus Group has been working since at least 2009. However, McAfee is careful not to attribute Operation Sharpshooter to them: The “obvious links” in the malware to Lazarus could be a diversion, researchers say.
However, the report also notes this attack is similar to a 2017 campaign attributed to the Lazarus Group.
In this campaign typically a series of targeted job recruitment emails with malicious documents are being sent out. All the malicious documents had English-language job description titles for positions at unknown companies, distributed by an IP address in the United States and through the Dropbox service. The documents contain a malicious macro that leverages
embedded shellcode to inject the Sharpshooter downloader into the memory of Microsoft Word. Once the Word process is infected, the downloader retrieves the second-stage Rising Sun implant. It includes a second decoy document, presumably to confuse defenders and lead them away from the modular backdoor that’s being installed.
The implant fetches information including network adapter info, computer name, user name, IP address information, native system information and opeating system product name from the registry, hard drive details, details of processes running on the device and details of files. This data is sent to a command and control server where the attackers use it to decide their next steps.
“We have not previously observed this implant,” says McAfee. “Was this attack just a first-stage reconnaissance operation, or will there be more?”