S0448 Rising Sun
Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and 2019. Rising Sun infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed Rising Sun included some source code from Lazarus Group‘s Trojan Duuzer.1
| Item | Value |
|---|---|
| ID | S0448 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 14 May 2020 |
| Last Modified | 13 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Rising Sun has used HTTP and HTTPS for command and control.1 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.003 | Archive via Custom Method | Rising Sun can archive data using RC4 encryption and Base64 encoding prior to exfiltration.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Rising Sun has executed commands using cmd.exe /c “<command> > <%temp%>\AM<random>. tmp” 2>&1.1 |
| enterprise | T1005 | Data from Local System | Rising Sun has collected data and files from a compromised host.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Rising Sun has decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Rising Sun variants can use SSL for encrypting C2 communications.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Rising Sun can send data gathered from the infected machine via HTTP POST request to the C2.1 |
| enterprise | T1083 | File and Directory Discovery | Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | Rising Sun can modify file attributes to hide files.1 |
| enterprise | T1070 | Indicator Removal | Rising Sun can clear a memory blog in the process by overwriting it with junk bytes.1 |
| enterprise | T1070.004 | File Deletion | Rising Sun can delete files and artifacts it creates.1 |
| enterprise | T1106 | Native API | Rising Sun used dynamic API resolutions to various Windows APIs by leveraging LoadLibrary() and GetProcAddress().1 |
| enterprise | T1027 | Obfuscated Files or Information | Configuration data used by Rising Sun has been encrypted using an RC4 stream algorithm.1 |
| enterprise | T1057 | Process Discovery | Rising Sun can enumerate all running processes and process information on an infected machine.1 |
| enterprise | T1012 | Query Registry | Rising Sun has identified the OS product name from a compromised host by searching the registry for SOFTWARE\MICROSOFT\Windows NT\ CurrentVersion | ProductName.1 |
| enterprise | T1082 | System Information Discovery | Rising Sun can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume.1 |
| enterprise | T1016 | System Network Configuration Discovery | Rising Sun can detect network adapter and IP address information.1 |
| enterprise | T1016.001 | Internet Connection Discovery | Rising Sun can test a connection to a specified network IP address over a specified port number.1 |
| enterprise | T1033 | System Owner/User Discovery | Rising Sun can detect the username of the infected host.1 |
References
-
Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
I. Ilascu. (2019, March 3). Op ‘Sharpshooter’ Connected to North Korea’s Lazarus Group. Retrieved September 26, 2022. ↩