McAfee confirms that Lazarus North Korean APT hackers are behind the worldwide Sharpshooter cyber espionage campaign

The global cyber espionage campaign dubbed Sharpshooter is linked to North Korea’s Lazarus APT hacking group. It has been confirmed by McAfee cyber security researchers, who analyzed a command-and-control (C2) server involved in the cyber warfare operation and seized by law enforcements. The Pyongyang malicious campaign  world was initially uncovered in December 2018 by company’s security researchers. It targeted government, defense, nuclear, energy, and financial organizations around the world. Moreover, the analysis revealed that the global espionage Op. began as early as September 2017, a year earlier than previously thought and is still ongoing. While previous cyber attacks were primarily targeting telecommunications, government and financial sectors in the United States, Switzerland, and Israel, and other English-speaking countries, newly-discovered evidence suggests that Sharpshooter has expanded its focus to critical infrastructure, with the most recent attacks targeting Germany, Turkey, the United Kingdom, and the United States.

The cyber security experts: Pyongyang’s cyber warfare attacks spread by malicious documents, containing a weaponized macro, via Dropbox and Rising Sun malware

According to The Hacker News, the North Korea cyber espionage campaign spreads by sending malicious documents containing a weaponized macro to targets via Dropbox. Once opened and downloaded, the macro leverages embedded shellcode to inject the Sharpshooter downloader into the memory of Microsoft Word. For further exploitation, this in-memory implant then covertly downloads the second-stage Rising Sun malware, which uses source code from the Lazarus’s backdoor Trojan Duuzer. Then, the malicious code performs reconnaissance on the victim’s network by gathering and encrypting data, including devices’ computer name, IP address data, native system information and more. The analysis of the C2 server and file logs showed also a network block of IP addresses from a city located in Namibia. This led the McAfee cyber security experts to suspect that Lazarus may have tested its implants and other techniques in this area of the world prior to launching the broader campaign.