C0013 Operation Sharpshooter
Operation Sharpshooter was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous Lazarus Group operations, including fake job recruitment lures and shared malware code.312
| Item | Value |
|---|---|
| ID | C0013 |
| Associated Names | |
| First Seen | September 2017 |
| Last Seen | March 2019 |
| Version | 1.0 |
| Created | 26 September 2022 |
| Last Modified | 13 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.006 | Web Services | For Operation Sharpshooter, the threat actors used Dropbox to host lure documents and their first-stage downloader.3 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | During Operation Sharpshooter, a first-stage downloader installed Rising Sun to %Startup%\mssync.exe on a compromised host.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | During Operation Sharpshooter, the threat actors used a VBA macro to execute a simple downloader that installed Rising Sun.3 |
| enterprise | T1584 | Compromise Infrastructure | - |
| enterprise | T1584.004 | Server | For Operation Sharpshooter, the threat actors compromised a server they used as part of the campaign’s infrastructure.1 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.001 | Malware | For Operation Sharpshooter, the threat actors used the Rising Sun modular backdoor.3 |
| enterprise | T1105 | Ingress Tool Transfer | During Operation Sharpshooter, additional payloads were downloaded after a target was infected with a first-stage downloader.3 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.002 | Dynamic Data Exchange | During Operation Sharpshooter, threat actors sent malicious Word OLE documents to victims.3 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | During Operation Sharpshooter, threat actors installed Rising Sun in the Startup folder and disguised it as mssync.exe.3 |
| enterprise | T1106 | Native API | During Operation Sharpshooter, the first stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().3 |
| enterprise | T1055 | Process Injection | During Operation Sharpshooter, threat actors leveraged embedded shellcode to inject a downloader into the memory of Word.2 |
| enterprise | T1090 | Proxy | For Operation Sharpshooter, the threat actors used the ExpressVPN service to hide their location.1 |
| enterprise | T1608 | Stage Capabilities | - |
| enterprise | T1608.001 | Upload Malware | For Operation Sharpshooter, the threat actors staged malicious files on Dropbox and other websites.3 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | During Operation Sharpshooter, the threat actors relied on victims executing malicious Microsoft Word or PDF files.3 |
Software
| ID | Name | Description |
|---|---|---|
| S0448 | Rising Sun | During the investigation of Operation Sharpshooter, security researchers identified Rising Sun in 87 organizations across the globe and subsequently discovered three variants.31 |
References
-
I. Ilascu. (2019, March 3). Op ‘Sharpshooter’ Connected to North Korea’s Lazarus Group. Retrieved September 26, 2022. ↩↩↩↩
-
L. O’Donnell. (2019, March 3). RSAC 2019: New Operation Sharpshooter Data Reveals Higher Complexity, Scope. Retrieved September 26, 2022. ↩↩
-
Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩