Rising Sun

Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and 2019. Rising Sun infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed Rising Sun included some source code from Lazarus Group's Trojan Duuzer.[1]

ID: S0448
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 14 May 2020
Last Modified: 13 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Rising Sun has used HTTP and HTTPS for command and control.[1]

Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

Rising Sun can archive data using RC4 encryption and Base64 encoding prior to exfiltration.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Rising Sun has executed commands using cmd.exe /c "<command> > <%temp%>\AM<random>. tmp" 2>&1.[1]

Enterprise T1005 Data from Local System

Rising Sun has collected data and files from a compromised host.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Rising Sun has decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Rising Sun variants can use SSL for encrypting C2 communications.[2]

Enterprise T1041 Exfiltration Over C2 Channel

Rising Sun can send data gathered from the infected machine via HTTP POST request to the C2.[1]

Enterprise T1083 File and Directory Discovery

Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Rising Sun can modify file attributes to hide files.[1]

Enterprise T1070 Indicator Removal

Rising Sun can clear a memory blog in the process by overwriting it with junk bytes.[1]

.004 File Deletion

Rising Sun can delete files and artifacts it creates.[1]

Enterprise T1106 Native API

Rising Sun used dynamic API resolutions to various Windows APIs by leveraging LoadLibrary() and GetProcAddress().[1]

Enterprise T1027 Obfuscated Files or Information

Configuration data used by Rising Sun has been encrypted using an RC4 stream algorithm.[1]

Enterprise T1057 Process Discovery

Rising Sun can enumerate all running processes and process information on an infected machine.[1]

Enterprise T1012 Query Registry

Rising Sun has identified the OS product name from a compromised host by searching the registry for SOFTWARE\MICROSOFT\Windows NT\ CurrentVersion | ProductName.[1]

Enterprise T1082 System Information Discovery

Rising Sun can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume.[1]

Enterprise T1016 System Network Configuration Discovery

Rising Sun can detect network adapter and IP address information.[1]

.001 Internet Connection Discovery

Rising Sun can test a connection to a specified network IP address over a specified port number.[1]

Enterprise T1033 System Owner/User Discovery

Rising Sun can detect the username of the infected host.[1]

Campaigns

ID Name Description
C0013 Operation Sharpshooter

During the investigation of Operation Sharpshooter, security researchers identified Rising Sun in 87 organizations across the globe and subsequently discovered three variants.[1][2]

References