After analyzing the code from a command and control server (C2) used in the global cyber-espionage campaign, called "Sharpshooter", security researchers found more evidence of linking it to North Korea's Lazarus threat actor.
The assessment was possible with the help of an authority and revealed that the surgery is wider, more complex and older than what was first thought.
The North Korean connection
To hide its true location, the threat actor used the ExpressVPN service that showed connections to the web shell (Notice.php) on a compromised server coming from two IP addresses in London.
However, the IP addresses are rarely a reliable indicator of the attacker's origin or allocation. The connection to the Lazarus group was evident by inspecting the tools, strategies, and methods already associated with the North Korean actor.
For example, Rising Sun was observed in attacks before the discovery of "Sharpshooter" and shared the tactics, techniques, and procedures (TTP) seen in operations attributed to the Lazarus group.
The three variants of the back door (v1.0, v1.1 and v2.0) indicate a clear evolution from Duuzer, used by Lazarus, as they all include core properties.
"These [Rising Sun] implants were all based on the original Backdoor Duuzer source code," the researchers say in their report.
The high resemblance to the false job recruitment campaigns of both groups used to explain their attacks, and the fact that Lazarus rely on similar versions of the Rising Sun in the activity track in 2017, points to a connection between the two opponents.
Malicious components in the frame
Analyzed code and data from C2, Ryan Sherstobitoff and Asheer Malhotra from McAfee, along with the company's Advanced Threat Research Team (ATR), discovered new variants of the Rising Sun back door used since at least 2016.
"The server was used to distribute and infect victims with an upgraded version of Rising Sun with SSL capabilities," a report shared with BleepingComputer informs.
The rare opportunity to investigate Sharpshooter's backend operations allowed the researchers to create a fuller picture of the activity and interaction between the various tools used by the threat actor.
Accessing the C2 information helped the researchers get a clear overview of the attacker's operations and tools. It also provided sufficient details to quickly improve the detection of malicious activity from this threat by revealing new tools otherwise hidden from obfuscation techniques.
An alternative method of detecting them is by analyzing network packets, which is more difficult and requires more time.
Another finding in the activity of & # 39; Sharpshooter & # 39; was a set of uncompleted connections from IP addresses in Windhoek, a city in Namibia, Africa. One explanation for this may be that they used the region as a test zone; Another would be that the threat factor drives the operation from these sites, although it may also be a false flag intended to point the scientists the wrong way.
When "Sharpshooter" was first discovered, it was assumed that the operation started in October 2018. However, a log file on the server indicates that the C2 frame has been active since at least September 2017, and probably "hosted on different servers over time. "
The pant teacher first discovered at the end of last year when it attacked at least 87 organizations around the world in two months. Its activity is ongoing.
McAfee researchers will present their findings at this year's RSA Security Conference in San Francisco.