Sharpshooter

Operation Sharpshooter is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and Lazarus Group have been noted, definitive links have not been established.[1]

ID: G0104
Version: 1.0
Created: 14 May 2020
Last Modified: 30 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Sharpshooter's first-stage downloader installed Rising Sun to the startup folder %Startup%\mssync.exe.[1]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Sharpshooter's first-stage downloader was a VBA macro.[1]

Enterprise T1105 Ingress Tool Transfer

Sharpshooter downloaded additional payloads after a target was infected with a first-stage downloader.[1]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

Sharpshooter has sent malicious Word OLE documents to victims.[1]

Enterprise T1106 Native API

Sharpshooter's first-stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Sharpshooter has sent malicious attachments via emails to targets.[1]

Enterprise T1055 Process Injection

Sharpshooter has leveraged embedded shellcode to inject a downloader into the memory of Word.[1]

Enterprise T1204 .002 User Execution: Malicious File

Sharpshooter has sent malicious DOC and PDF files to targets so that they can be opened by a user.[1]

Software

ID Name Techniques
S0448 Rising Sun Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Custom Method, Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Indicator Removal on Host, Indicator Removal on Host: File Deletion, Native API, Obfuscated Files or Information, Process Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery

References