1. Home
  2. Campaigns
  3. Operation Sharpshooter

Operation Sharpshooter

Operation Sharpshooter was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous Lazarus Group operations, including fake job recruitment lures and shared malware code.[1][2][3]

ID: C0013
First Seen:  September 2017 [3]
Last Seen:  March 2019 [3]
Version: 1.0
Created: 26 September 2022
Last Modified: 13 October 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 代理

For Operation Sharpshooter, the threat actors used the ExpressVPN service to hide their location.[2]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

During Operation Sharpshooter, threat actors installed Rising Sun in the Startup folder and disguised it as mssync.exe.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

During Operation Sharpshooter, a first-stage downloader installed Rising Sun to %Startup%\mssync.exe on a compromised host.[1]

Enterprise T1059 .005 命令与脚本解释器: Visual Basic

During Operation Sharpshooter, the threat actors used a VBA macro to execute a simple downloader that installed Rising Sun.[1]
Enterprise T1584 .004 基础设施妥协: Server

For Operation Sharpshooter, the threat actors compromised a server they used as part of the campaign's infrastructure.[2]
Enterprise T1587 .001 开发能力: Malware

For Operation Sharpshooter, the threat actors used the Rising Sun modular backdoor.[1]
Enterprise T1608 .001 暂存能力: Upload Malware

For Operation Sharpshooter, the threat actors staged malicious files on Dropbox and other websites.[1]
Enterprise T1106 本机API

During Operation Sharpshooter, the first stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().[1]
Enterprise T1204 .002 用户执行: Malicious File

During Operation Sharpshooter, the threat actors relied on victims executing malicious Microsoft Word or PDF files.[1]

Enterprise T1583 .006 获取基础设施: Web Services

For Operation Sharpshooter, the threat actors used Dropbox to host lure documents and their first-stage downloader.[1]
Enterprise T1105 输入工具传输

During Operation Sharpshooter, additional payloads were downloaded after a target was infected with a first-stage downloader.[1]
Enterprise T1055 进程注入

During Operation Sharpshooter, threat actors leveraged embedded shellcode to inject a downloader into the memory of Word.[3]

Enterprise T1559 .002 进程间通信: Dynamic Data Exchange

During Operation Sharpshooter, threat actors sent malicious Word OLE documents to victims.[1]

Software

ID Name Description
S0448 Rising Sun

During the investigation of Operation Sharpshooter, security researchers identified Rising Sun in 87 organizations across the globe and subsequently discovered three variants.[1][2]

References

  1. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  2. I. Ilascu. (2019, March 3). Op 'Sharpshooter' Connected to North Korea's Lazarus Group. Retrieved September 26, 2022.
  1. L. O'Donnell. (2019, March 3). RSAC 2019: New Operation Sharpshooter Data Reveals Higher Complexity, Scope. Retrieved September 26, 2022.