McAfee ID’s Lazarus as Operation Sharpshooter Malware Operators
It was Lazarus all along behind the cyber attacks aimed at critical infrastructure facilities and industries worldwide late last year, security specialist McAfee said in a follow up to its Operation Sharpshooter research.
Background check: Beginning last October, hackers launched a campaign to lure victims into opening emails contained a “weaponized macro” that launched second stage malware coded to collect intelligence. The prey’s personal data, including user names, IP addresses, network configuration and system settings, was then directed to a control server. The targets were nearly 90 defense and government installations among a 14-industry spearphishing operation disguised as legitimate job recruitment inquiries.
No names. In its December, 2018 report on Operation Sharpshooter, McAfee shied away from naming the possible culprits, defaulting attribution to others in the security community while cautioning that the breadcrumb trail may be a dead end.
That was then and this is now. Armed with an analysis of code and data from a command-and-control server involved in the spy campaign, a more certain McAfee has tagged the Lazarus crew with the score. Apparently, a “government entity that is familiar with McAfee’s published research on this malware campaign,” offered up the content to the security provider, giving it enough evidence to conclusively finger Lazarus. The attack range is worse than first thought, McAfee said.
There’s more. The analysis enabled McAfee to identify other previously unknown command-and-control centers that may date the Sharpshooter campaign to a year earlier than initial believed. It’s also possible, McAfee said, that the targets extend beyond defense and government to organizations in more industries and countries.
The latest push: The hackers appear to be aiming at “finance, government and critical infrastructure around the globe, primarily in Germany, Turkey, the U.K. and the U.S,” McAfee said. Previous attacks focused on telecommunications, government and financial sectors, primarily in the U.S., Switzerland and Israel.
“Technical evidence is often not enough to thoroughly understand a cyber attack, as it does not provide all the pieces to the puzzle,” said Christiaan Beek, McAfee senior principal engineer and lead scientist. “Access to the adversary’s command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyberattack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers. The insights gained through access to this code are indispensable in the effort to understand and combat today’s most prominent and sophisticated cyber attack campaigns.”
Some additional findings:
- Hunting and spearphishing. Sharpshooter’s design and tactics overlap with several campaigns, including a similar fake job recruitment campaign conducted in 2017 that’s attributed to Lazarus.
- African connection. The Sharpshooters may have tested their implants and other techniques prior to launching a full-scale attack using a network block of IP addresses originating from the city of Windhoek, located in the African nation of Namibia.
- Maintaining access to assets. The attackers have been using a command-and-control infrastructure with the core back-end written in Hypertext Preprocessor and Active Server Pages. The code appears to be custom and unique to the group.
- Evolving Rising Sun. The Sharpshooter attackers used a factory-like process where various malicious components that make up Rising Sun have been developed independently outside of the core implant functionality. (The second stage implant in the campaign, which McAfee is calling Rising Sun, uses source code from Lazarus’ 2015 backdoor Trojan Duuzer.)