Sharpshooter
Operation Sharpshooter is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and Lazarus Group have been noted, definitive links have not been established.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Sharpshooter's first-stage downloader installed Rising Sun to the startup folder |
| Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
Sharpshooter's first-stage downloader was a VBA macro.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
Sharpshooter downloaded additional payloads after a target was infected with a first-stage downloader.[1] |
|
| Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
Sharpshooter has sent malicious Word OLE documents to victims.[1] |
| Enterprise | T1106 | Native API |
Sharpshooter's first-stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().[1] |
|
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Sharpshooter has sent malicious attachments via emails to targets.[1] |
| Enterprise | T1055 | Process Injection |
Sharpshooter has leveraged embedded shellcode to inject a downloader into the memory of Word.[1] |
|
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Sharpshooter has sent malicious DOC and PDF files to targets so that they can be opened by a user.[1] |