Skip to content

C0013 Operation Sharpshooter

Operation Sharpshooter was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous Lazarus Group operations, including fake job recruitment lures and shared malware code.312

Item Value
ID C0013
Associated Names
First Seen September 2017
Last Seen March 2019
Version 1.0
Created 26 September 2022
Last Modified 13 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.006 Web Services For Operation Sharpshooter, the threat actors used Dropbox to host lure documents and their first-stage downloader.3
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder During Operation Sharpshooter, a first-stage downloader installed Rising Sun to %Startup%\mssync.exe on a compromised host.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic During Operation Sharpshooter, the threat actors used a VBA macro to execute a simple downloader that installed Rising Sun.3
enterprise T1584 Compromise Infrastructure -
enterprise T1584.004 Server For Operation Sharpshooter, the threat actors compromised a server they used as part of the campaign’s infrastructure.1
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware For Operation Sharpshooter, the threat actors used the Rising Sun modular backdoor.3
enterprise T1105 Ingress Tool Transfer During Operation Sharpshooter, additional payloads were downloaded after a target was infected with a first-stage downloader.3
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange During Operation Sharpshooter, threat actors sent malicious Word OLE documents to victims.3
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location During Operation Sharpshooter, threat actors installed Rising Sun in the Startup folder and disguised it as mssync.exe.3
enterprise T1106 Native API During Operation Sharpshooter, the first stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().3
enterprise T1055 Process Injection During Operation Sharpshooter, threat actors leveraged embedded shellcode to inject a downloader into the memory of Word.2
enterprise T1090 Proxy For Operation Sharpshooter, the threat actors used the ExpressVPN service to hide their location.1
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware For Operation Sharpshooter, the threat actors staged malicious files on Dropbox and other websites.3
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File During Operation Sharpshooter, the threat actors relied on victims executing malicious Microsoft Word or PDF files.3

Software

ID Name Description
S0448 Rising Sun During the investigation of Operation Sharpshooter, security researchers identified Rising Sun in 87 organizations across the globe and subsequently discovered three variants.31

References