A previously discovered global cyber espionage campaign was recently linked with high confidence to a North Korean APT hacking group by the security researchers which they revealed was targeting the critical infrastructure around the world. The new evidence was collected by the researchers after analyzing a command-and-control (C2) server that was involved in the global cyber espionage campaign and they were seized by the law enforcement.
The operation was known by the name ‘Sharpshooter’ and the campaign meant to target the government, nuclear, defence, energy and financial organizations around the globe. The global cyber espionage campaign was uncovered in December in the year 2018 by the McAfee security researchers. At the same time, though the researchers have found out several links to the North Korean hacking group, Lazarus, yet the researchers were not able to attribute the campaign due to the potential for the false flags.
As per the latest release of the press release, the researchers went through the in depth analysis of the seized code and the command-and-control server (C2) which revealed the working strategy of the North Korean group and the global cyber espionage campaign as well. It is clear that the North Korean hacking group is behind the ‘Sharpshooter’ operation. The Lazarus group bears several names and is backed up by the North Korean Government.
The global cyber espionage campaign gets spread by sending of the malicious documents that contain weaponized macro to targets through Dropbox. As soon as it is downloaded and opened, the macro leverages embeds the shellcode to inject the Sharpshooter downloader in the Microsoft Word’s memory. For more exploitation, Rising Sun Malware gets downloaded that uses the source code from the backdoor of the Lazarus group, Trojan Duuzer which first circulated in the year 2015 and targeted various organizations in South Korea.