Sharpshooter: Cyberattack campaign against critical infrastructure in U.S. and Latin America

Experts have discovered a cyberattack campaign against dozens of organizations dedicated to the defense and other critical tasks

Digital forensics specialists from the International Institute of Cyber Security reported the emergence of a hacking campaign targeting critical infrastructure companies around the world. The hackers behind this campaign, known as Operation Sharpshooter, are deploying malware associated with Lazarus hacking group, the same organization behind the cyberattacks against Sony in 2014.

Experts in digital forensics and cybersecurity who first found this campaign believe that malicious actors might be gathering information regarding intelligence activities in multiple countries with the purpose of planning future cyberattacks against nuclear, energetic, financial and defense organizations.

According to the specialists, during this operation the hackers take advantage of an implant in the memory to unload and to recover a second stage implant for their later exploitation.  “During last October and November, the Rising Sun implant began to appear in organizations around the world, mainly in the U.S.,” the experts mentioned in their analysis.

“Like other similar cyberattack campaigns, English-speaking organizations and English-speaking regional offices are attacked in Operation Sharpshooter. The operators of this campaign have been engaged in collecting information about people of interest or organizations that manage relevant data.”

These attackers are conducting multiple phishing attacks, sending a link that redirects victims to an infected Word file, allegedly sent by a human factor recruiter. The message that the victims receive is written in English and describes jobs in non-existent companies. The URLs attached to the document are associated with an IP address located in the U.S. and the Dropbox document management platform.

Macros included in the malicious Word document use a built-in shell code to inject the Sharpshooter download software into Word memory. According to experts in digital forensics, the Macros act as a download program for the Rising Sun implant, the second stage implant that runs in the memory and collects information about the victim’s machine. Rising Sun includes dozens of backdoor features, including capabilities to kill processes and overwrite files on the disk.

The binary is downloaded into the Startup folder to gain persistence in the infected system. Experts noted that campaign operators also download a second Word document from the control server, which they believe is used as bait to hide the malicious program.

The experts noted that Rising Sun implant uses the source code of Trojan Duuzer, the backdoor that the group of hackers Lazarus used in the attacks against Sony Pictures. In addition, experts found other similarities with the attack campaign against Sony; for example, the documents used to distribute the Rising Sun malicious load contain metadata indicating that it was created using a Korean version of Word. Finally, the specialists consider that the operators of the Sharpshooter operation could also be leaving false traces to hinder the workings of the police agencies.