Researchers link ongoing malware campaign to North Korean hackers

Victor Barreiro Jr.
The analysis of the seized server points to the ongoing malware campaign known as Operation Sharpshooter existing as early as September 2017 and targeting more organizations and countries than previously known

MANILA, Philippines – Security researchers at McAfee announced a link on Monday, March 4, between a seized server they analyzed to North Korean hacking group Lazarus.

The seized server was provided by “a government entity that is familiar with McAfee’s published research” on a malware campaign known as Operation Sharpshooter, which impacted numerous organizations around the world, including the Philippines. 

McAfee said the analysis pointed to additional, previously unknown command-and-control centers. It also suggested Operation Sharpshooter was orchestrated as early as September 2017 and targeted more organizations and countries than previously known.

Sharpshooter attacks, McAfee went on to say, remain ongoing.

McAfee first uncovered Operation Sharpshooter in December 2018, and said hackers sent fake job recruiting emails to unsuspecting users in various organizations worldwide. The attack, commonly known as a spearphishing attack, would implant a malware called Rising Sun into affected devices. The implanted Rising Sun malware is then used to gather information for potential future use or exploitation.

While researchers could not pinpoint the link to Lazarus before, the new evidence provided by analyzing the control server “exposed striking similarities between the technical indicators, techniques and procedures exhibited in these 2018 Sharpshooter attacks, and aspects of multiple other groups of attacks attributed by the industry to the Lazarus Group.”

The similarities, McAfee said, include the group’s “use of similar versions of the Rising Sun implant dating back to 2017, and source code from the Lazarus Group’s infamous 2016 backdoor Trojan Duuzer.”

Grant Bourzikas, Chief Information Security Officer at McAfee, said cybercriminals continue to use social engineering techniques like spearphishing to attack targets successfully.

He added, “it is imperative organizations take note of these methods and adopt a dual strategy with advanced email protection solutions and employee education to guard against these increasingly sophisticated attacks and protect their internal infrastructure.” –

Victor Barreiro Jr.

Victor Barreiro Jr is part of Rappler's Central Desk. An avid patron of role-playing games and science fiction and fantasy shows, he also yearns to do good in the world, and hopes his work with Rappler helps to increase the good that's out there.