Operation SharpShooter Attacks Nuclear, Defense, Energy, and Financial Companies
(Dec 13, 2018)
Over 87 organisations across 24 countries have been targeted in a recent spear phishing campaign, dubbed "Operation SharpShooter," according to McAfee researchers. The campaign targets institutions in the defence, energy, financial, and telecommunications sectors narrowing on English-speaking organisations in Australia, Europe, India, Japan, the Middle East, South America, and the US. The observed phishing emails were themed around recruitment, containing a seemingly legitimate job description and Word document attachment from a man named "Richard." The document requests macros to be enabled, and if allowed, an embedded shellcode injects a downloader for a backdoor called "Rising Sun." This allows for the threat actor to gain reconnaissance capabilities on the machine and obtain information such as documents, network configurations, system settings, and usernames that then sends the information to the designated Command and Control (C2) server. Interestingly, the malware can delete its history and clear memory to make detection difficult.
Recommendation: This serves as a reminder to avoid opening documents that request Macros to be enabled. Macros are often unnecessary, and unless it is common business practice within your company to use macros in your own work, do not allow them without verification that it is legitimate. Macros tend to be a sign of a phishing attempt so they should be heavily scrutinised if received. All employees should be educated on the risk of opening attachments from unknown senders, even if they appear to be legitimate. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.