Operation Sharpshooter
Operation Sharpshooter was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previousLazarus Group operations, including fake job recruitment lures and shared malware code.[1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .006 | Acquire Infrastructure:Web Services | ForOperation Sharpshooter, the threat actors used Dropbox to host lure documents and their first-stage downloader.[1] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder | DuringOperation Sharpshooter, a first-stage downloader installedRising Sun to |
| Enterprise | T1059 | .005 | Command and Scripting Interpreter:Visual Basic | DuringOperation Sharpshooter, the threat actors used a VBA macro to execute a simple downloader that installedRising Sun.[1] |
| Enterprise | T1584 | .004 | Compromise Infrastructure:Server | ForOperation Sharpshooter, the threat actors compromised a server they used as part of the campaign's infrastructure.[2] |
| Enterprise | T1587 | .001 | Develop Capabilities:Malware | ForOperation Sharpshooter, the threat actors used theRising Sun modular backdoor.[1] |
| Enterprise | T1105 | Ingress Tool Transfer | DuringOperation Sharpshooter, additional payloads were downloaded after a target was infected with a first-stage downloader.[1] | |
| Enterprise | T1559 | .002 | Inter-Process Communication:Dynamic Data Exchange | DuringOperation Sharpshooter, threat actors sent malicious Word OLE documents to victims.[1] |
| Enterprise | T1036 | .005 | Masquerading:Match Legitimate Resource Name or Location | DuringOperation Sharpshooter, threat actors installedRising Sun in the Startup folder and disguised it as |
| Enterprise | T1106 | Native API | DuringOperation Sharpshooter, the first stage downloader resolved various Windows libraries and APIs, including | |
| Enterprise | T1055 | Process Injection | DuringOperation Sharpshooter, threat actors leveraged embedded shellcode to inject a downloader into the memory of Word.[3] | |
| Enterprise | T1090 | Proxy | ForOperation Sharpshooter, the threat actors used the ExpressVPN service to hide their location.[2] | |
| Enterprise | T1608 | .001 | Stage Capabilities:Upload Malware | ForOperation Sharpshooter, the threat actors staged malicious files on Dropbox and other websites.[1] |
| Enterprise | T1204 | .002 | User Execution:Malicious File | DuringOperation Sharpshooter, the threat actors relied on victims executing malicious Microsoft Word or PDF files.[1] |
Software
| ID | Name | Description |
|---|---|---|
| S0448 | Rising Sun | During the investigation ofOperation Sharpshooter, security researchers identifiedRising Sun in 87 organizations across the globe and subsequently discovered three variants.[1][2] |