# Op 'Sharpshooter' Connected to North Korea's Lazarus Group **[bleepingcomputer.com/news/security/op-sharpshooter-connected-to-north-koreas-lazarus-group/](https://www.bleepingcomputer.com/news/security/op-sharpshooter-connected-to-north-koreas-lazarus-group/)** Ionut Ilascu By [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) March 3, 2019 11:30 PM 0 After analyzing code from a command and control (C2) server used in the global cyberespionage campaign dubbed 'Sharpshooter', security researchers found more evidence linking it to North Korea's Lazarus threat actor. The assessment was possible with the help of a government entity and revealed that the operation is broader in scope, more complex and older than initially thought. ## The North Korean connection To hide their true location, the threat actor used the ExpressVPN service that showed connections to the web shell (Notice.php) on a compromised server coming from two IP addresses in London. ----- However, the IP addresses are rarely a reliable indicator of the attacker's origin or for attribution. The connection to the Lazarus group was obvious by inspecting the tools, strategies, and methods already linked to the North Korean actor. For instance, Rising Sun was observed in attacks before the discovery of 'Sharpshooter' and shared the tactics, techniques, and procedures (TTPs) seen in operations attributed to Lazarus group. The three variants of the backdoor (v1.0, v1.1, and v2.0) indicate a clear evolution from Duuzer, used by Lazarus, as they all include its core capabilities. ----- "These [Rising Sun] implants were all based on the original Backdoor Duuzer source code," the researchers say in their report. The high similarity of the fake job recruitment campaigns both groups used to disguise their attacks, and the fact that Lazarus relied on similar versions of Rising Sun in activity tracked in 2017, point to a connection between the two adversaries. ## Malicious components in the framework ----- Analyzing the code and data from the C2, Ryan Sherstobitoff and Asheer Malhotra from McAfee, along with the company's Advanced Threat Research Team (ATR), discovered new variants of the Rising Sun backdoor that were used since at least 2016. "The server was used to distribute and infect victims with an upgraded version of Rising Sun with SSL capabilities," informs a report shared with BleepingComputer. The rare opportunity to examine Sharpshooter's backend operations allowed the researchers to create a fuller picture of the activity and interaction between the various tools used by the threat actor. Local recreation of Sharpshooter's C2 main panel Getting access to the C2 information helped the researchers get a clear view of the attacker's operations and utilities. It also provided sufficient details to quickly improve detection of malicious activity from this threat by uncovering new tools otherwise hidden by obfuscation techniques. An alternative method for discovering them is by analyzing network packets, which is more difficult and requires more time. ----- Another finding in the activity of 'Sharpshooter' were a set of unobfuscated connections from IP addresses in Windhoek, a city in Namibia, Africa. One explanation for this could be that that they used the region as a test zone; another would be that the threat actor runs the operation from those locations, although it could also be a false flag meant to point the researchers on the wrong path. When 'Sharpshooter' was first discovered, it was believed that the operation started in October 2018. However, a log file on the server indicates that the C2 framework has been active since at least September 2017, and probably "hosted on different servers over time." The threat actor [first detected towards the end of last year when it attacked at least 87](https://www.bleepingcomputer.com/news/security/op-sharpshooter-uses-lazarus-group-tactics-techniques-and-procedures/) organizations around the world in two months' time. Its activity is ongoing. [McAfee researchers will present their findings at this year's RSA security conference in San](https://www.rsaconference.com/events/us19) Francisco. ### Related Articles: [Hackers are now hiding malware in Windows Event Logs](https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/) [Cyberspies use IP cameras to deploy backdoors, steal Exchange emails](https://www.bleepingcomputer.com/news/security/cyberspies-use-ip-cameras-to-deploy-backdoors-steal-exchange-emails/) [DPRK hackers go after crypto assets using trojanized DeFi Wallet app](https://www.bleepingcomputer.com/news/security/dprk-hackers-go-after-crypto-assets-using-trojanized-defi-wallet-app/) [BPFDoor malware uses Solaris vulnerability to get root privileges](https://www.bleepingcomputer.com/news/security/bpfdoor-malware-uses-solaris-vulnerability-to-get-root-privileges/) [BPFDoor: Stealthy Linux malware bypasses firewalls for remote access](https://www.bleepingcomputer.com/news/security/bpfdoor-stealthy-linux-malware-bypasses-firewalls-for-remote-access/) ----- [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia. -----