Skip to content

S0448 Rising Sun

Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and 2019. Rising Sun infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed Rising Sun included some source code from Lazarus Group‘s Trojan Duuzer.1

Item Value
ID S0448
Associated Names
Version 2.0
Created 14 May 2020
Last Modified 13 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Rising Sun has used HTTP and HTTPS for command and control.1
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method Rising Sun can archive data using RC4 encryption and Base64 encoding prior to exfiltration.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Rising Sun has executed commands using cmd.exe /c “<command> > <%temp%>\AM<random>. tmp” 2>&1.1
enterprise T1005 Data from Local System Rising Sun has collected data and files from a compromised host.1
enterprise T1140 Deobfuscate/Decode Files or Information Rising Sun has decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Rising Sun variants can use SSL for encrypting C2 communications.2
enterprise T1041 Exfiltration Over C2 Channel Rising Sun can send data gathered from the infected machine via HTTP POST request to the C2.1
enterprise T1083 File and Directory Discovery Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.1
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Rising Sun can modify file attributes to hide files.1
enterprise T1070 Indicator Removal Rising Sun can clear a memory blog in the process by overwriting it with junk bytes.1
enterprise T1070.004 File Deletion Rising Sun can delete files and artifacts it creates.1
enterprise T1106 Native API Rising Sun used dynamic API resolutions to various Windows APIs by leveraging LoadLibrary() and GetProcAddress().1
enterprise T1027 Obfuscated Files or Information Configuration data used by Rising Sun has been encrypted using an RC4 stream algorithm.1
enterprise T1057 Process Discovery Rising Sun can enumerate all running processes and process information on an infected machine.1
enterprise T1012 Query Registry Rising Sun has identified the OS product name from a compromised host by searching the registry for SOFTWARE\MICROSOFT\Windows NT\ CurrentVersion | ProductName.1
enterprise T1082 System Information Discovery Rising Sun can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume.1
enterprise T1016 System Network Configuration Discovery Rising Sun can detect network adapter and IP address information.1
enterprise T1016.001 Internet Connection Discovery Rising Sun can test a connection to a specified network IP address over a specified port number.1
enterprise T1033 System Owner/User Discovery Rising Sun can detect the username of the infected host.1