Rising Sun

Rising Sun is a modular backdoor malware used extensively in Operation Sharpshooter. The malware has been observed targeting nuclear, defense, energy, and financial services companies across the world. Rising Sun uses source code from Lazarus Group's Trojan Duuzer.[1]

ID: S0448
Platforms: Windows
Version: 1.0
Created: 14 May 2020
Last Modified: 30 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Rising Sun has used HTTP for command and control.[1]

Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

Rising Sun can archive data using RC4 encryption and Base64 encoding prior to exfiltration.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Rising Sun executed commands using cmd.exe.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Rising Sun decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Rising Sun can send data gathered from the infected machine via HTTP POST request to the C2.[1]

Enterprise T1083 File and Directory Discovery

Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Rising Sun can modify file attributes to hide files.[1]

Enterprise T1070 Indicator Removal on Host

Rising Sun can clear process memory by overwriting it with junk bytes.[1]

.004 File Deletion

Rising Sun can delete files specified by the C2.[1]

Enterprise T1106 Native API

Rising Sun used dynamic API resolutions to various Windows APIs by leveraging LoadLibrary() and GetProcAddress().[1]

Enterprise T1027 Obfuscated Files or Information

Configuration data used by Rising Sun is encrypted using RC4.[1]

Enterprise T1057 Process Discovery

Rising Sun can enumerate all running processes and process information on an infected machine.[1]

Enterprise T1082 System Information Discovery

Rising Sun can detect the computer name, operating system, and other native system information.[1]

Enterprise T1016 System Network Configuration Discovery

Rising Sun can detect network adapter and IP address information.[1]

Enterprise T1033 System Owner/User Discovery

Rising Sun can detect the username of the infected host.[1]

Groups That Use This Software

ID Name References
G0104 Sharpshooter