Rising Sun
Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and 2019. Rising Sun infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed Rising Sun included some source code from Lazarus Group's Trojan Duuzer.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
Rising Sun has collected data and files from a compromised host.[1] |
|
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography |
Rising Sun variants can use SSL for encrypting C2 communications.[2] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Rising Sun has decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Rising Sun has executed commands using |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Rising Sun has used HTTP and HTTPS for command and control.[1] |
| Enterprise | T1560 | .003 | 归档收集数据: Archive via Custom Method |
Rising Sun can archive data using RC4 encryption and Base64 encoding prior to exfiltration.[1] |
| Enterprise | T1083 | 文件和目录发现 |
Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.[1] |
|
| Enterprise | T1106 | 本机API |
Rising Sun used dynamic API resolutions to various Windows APIs by leveraging |
|
| Enterprise | T1012 | 查询注册表 |
Rising Sun has identified the OS product name from a compromised host by searching the registry for |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Configuration data used by Rising Sun has been encrypted using an RC4 stream algorithm.[1] |
| Enterprise | T1070 | 移除指标 |
Rising Sun can clear a memory blog in the process by overwriting it with junk bytes.[1] |
|
| .004 | File Deletion |
Rising Sun can delete files and artifacts it creates.[1] |
||
| Enterprise | T1082 | 系统信息发现 |
Rising Sun can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Rising Sun can detect the username of the infected host.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Rising Sun can detect network adapter and IP address information.[1] |
|
| .001 | Internet Connection Discovery |
Rising Sun can test a connection to a specified network IP address over a specified port number.[1] |
||
| Enterprise | T1057 | 进程发现 |
Rising Sun can enumerate all running processes and process information on an infected machine.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
Rising Sun can send data gathered from the infected machine via HTTP POST request to the C2.[1] |
|
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
Rising Sun can modify file attributes to hide files.[1] |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0013 | Operation Sharpshooter |
During the investigation of Operation Sharpshooter, security researchers identified Rising Sun in 87 organizations across the globe and subsequently discovered three variants.[1][2] |