Rising Sun
Rising Sun is a modular backdoor malware used extensively in Operation Sharpshooter. The malware has been observed targeting nuclear, defense, energy, and financial services companies across the world. Rising Sun uses source code from Lazarus Group's Trojan Duuzer.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Rising Sun has used HTTP for command and control.[1] |
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
Rising Sun can archive data using RC4 encryption and Base64 encoding prior to exfiltration.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Rising Sun executed commands using cmd.exe.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Rising Sun decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.[1] |
|
| Enterprise | T1041 | Exfiltration Over C2 Channel |
Rising Sun can send data gathered from the infected machine via HTTP POST request to the C2.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.[1] |
|
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Rising Sun can modify file attributes to hide files.[1] |
| Enterprise | T1070 | Indicator Removal on Host |
Rising Sun can clear process memory by overwriting it with junk bytes.[1] |
|
| .004 | File Deletion |
Rising Sun can delete files specified by the C2.[1] |
||
| Enterprise | T1106 | Native API |
Rising Sun used dynamic API resolutions to various Windows APIs by leveraging LoadLibrary() and GetProcAddress().[1] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Configuration data used by Rising Sun is encrypted using RC4.[1] |
|
| Enterprise | T1057 | Process Discovery |
Rising Sun can enumerate all running processes and process information on an infected machine.[1] |
|
| Enterprise | T1082 | System Information Discovery |
Rising Sun can detect the computer name, operating system, and other native system information.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Rising Sun can detect network adapter and IP address information.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery |
Rising Sun can detect the username of the infected host.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0104 | Sharpshooter |