US government officials recently provided security experts with servers that were thought to have been detained by North Korean hackers last year, and this move is very rare. The seized server is on the Operation Sharpshooter, was first discovered in December last year to spread malware specifically for government, telecommunications companies, and defense contractors.
Hackers send malicious Word documents by e-mail, and once they are opened, they run macro code to download the second phase of the implanted code, Rising Sun, which used by hacker steal user data.
According to the in-depth study of McAfee threat research team and advanced malware, McAfee Labs research team found that Rising Sun used Duuzer Trojan that used to target South Korean computers as far back as 2015, and also part of the same family of malware used in the Sony hack, also attributed to North Korea.
After the security experts checked the server code, it was discovered that Operation Sharpshooter’s operating time was longer than originally thought, dating back to September 2017. And the survey results show that there are many industries and countries targeted, including financial services, as well as key infrastructure in Europe, the United Kingdom, and the United States.
Studies have shown that:
- Hunting and spearphishing. Operation Sharpshooter shares multiple design and tactical overlaps with several campaigns, for example a very similar fake job recruitment campaign conducted in 2017 that the industry attributes to Lazarus Group.
- African connection. Analysis of the command-and-control server code and file logs also uncovered a network block of IP addresses originating from the city of Windhoek, located in the African nation of Namibia. This led McAfee Advanced Threat Research analysts to suspect that the actors behind Sharpshooter may have tested their implants and other techniques in this area of the world prior to launching their broader campaign of attacks.
- Maintaining access to assets. The attackers have been using a command-and-control infrastructure with the core backend written in Hypertext Preprocessor (PHP) and Active Server Pages (ASP). The code appears to be custom and unique to the group and McAfee’s analysis reveals it has been part of their operations since 2017.
- Evolving Rising Sun. The Sharpshooter attackers used a factory-like process where various malicious components that make up Rising Sun have been developed independently outside of the core implant functionality. These components appear in various implants dating back to 2016, which is one indication that the attackers have access to a set of developed functionalities at their disposal.