Skip to content

G0104 Sharpshooter

Operation Sharpshooter is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and Lazarus Group have been noted, definitive links have not been established.1

Item Value
ID G0104
Associated Names
Version 1.0
Created 14 May 2020
Last Modified 30 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Sharpshooter‘s first-stage downloader installed Rising Sun to the startup folder %Startup%\mssync.exe.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic Sharpshooter‘s first-stage downloader was a VBA macro.1
enterprise T1105 Ingress Tool Transfer Sharpshooter downloaded additional payloads after a target was infected with a first-stage downloader.1
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange Sharpshooter has sent malicious Word OLE documents to victims.1
enterprise T1106 Native API Sharpshooter‘s first-stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Sharpshooter has sent malicious attachments via emails to targets.1
enterprise T1055 Process Injection Sharpshooter has leveraged embedded shellcode to inject a downloader into the memory of Word.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Sharpshooter has sent malicious DOC and PDF files to targets so that they can be opened by a user.1

Software

ID Name References Techniques
S0448 Rising Sun - Web Protocols:Application Layer Protocol Archive via Custom Method:Archive Collected Data Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts File Deletion:Indicator Removal on Host Indicator Removal on Host Native API Obfuscated Files or Information Process Discovery System Information Discovery System Network Configuration Discovery System Owner/User Discovery

References

Back to top