||The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor...
|Operation Cobra Venom
||The campaign was carried out by attackers impersonating the South Korean Ministry of Unification. The phishing operation consisted of email attachments containing two malicious executables disguised as PDF documents. Successful exploitation could allow the threat actor to steal sensitive information and drop additional files allowing complete compromise of the infected computer.
|Operation Holiday Wiper
||The campaign uses spear-phishing emails with malicious attachments targeting vulnerabilities in Microsoft Office. The command and control server used in the attack is reported to be a Korean medical website and is used to download a payload which is disguised as a Korean security program.
|Operation OceanLotus KerrDown
||The campaign mainly targets individuals who speak Vietnamese with either Microsoft Office documents with malicious macros or RAR archives containing a Microsoft Word 2007 executable file. The threat actor behind the operation has been using the “KerrDown” malware family since at least early 2018 and target a range of sectors and individuals connected to Vietnam. The attacks use a variant of Cobalt Strike Beacon as the final payload.
|Operation Kitty Phishing
||The campaign's goal is to steal confidential information and targets a range of sectors including government and defense with a focus on South Korean users. The threat actors behind the attacks also attempt to steal Ethereum and Bitcoin from cryptocurrency exchanges and individual users. The malware used in the operation is delivered using phishing emails with a zip attachment containing two remote access Trojans disguised as Hangul Word Processor (HWP) documents.
||The campaign uses various information stealing Trojans and remote access tools to attack mainly the hospitality sector in an attempt to steal credit card details. The operation is known to use many known RATs including LimeRAT, RevengeRAT, NjRAT, AsyncRAT, NanoCoreRAT, and RemcosRAT. The attackers also use a range of DNS (DDNS) services including DuckDNS, WinCo, and No-IP.
|Operation Whitefly Singapore
||The attack campaign was carried out by the Whitefly espionage group and targeted a range of sectors including healthcare, media, telecommunications, and engineering mainly in Singapore. The threat actors used custom malware, malicious PowerShell scripts, and open-source tools to carry out their operation in an attempt to steal sensitive information.
|Operation WinRAR Goldmouse
||The attack campaign targets victims in the Middle East with malicious Microsoft Word documents located inside of an archive and takes advantage of a flaw in WinRAR. Once decompressed the malware creates an entry in the computers start up folder and is executed at next login or next reboot. The final payload is the njRAT backdoor which stops the local firewall and then starts a keylogger to steal sensitive information.
|Operation Hidden Python
||The operation targets victims with a compressed file containing a malicious .hwp document and an executable that attempt to take advantage of a flaw in WinRAR. The archive file is labeled "North America Second Summit .rar" and is password protected to avoid detection. Once executed by the victim the malware creates a startup task and is active once the infected system is rebooted.