Anatomy of a, still ongoing, attack…:
[…] The espionage campaign began when a splay of malicious documents were sent to targets via Dropbox. The initial attack vector is a document that contains a weaponized macro. Once downloaded, it places embedded shellcode into the memory of Microsoft Word, which acts as a simple downloader for a second-stage implant.
This next stage runs in memory and gathers intelligence. That second-stage implant is a fully modular backdoor called â€œRising Sunâ€� that performs reconnaissance on the victimâ€™s network, according to the research.
Notably, Rising Sun uses source code from theÂ Duuzer backdoor, a malware first used in a 2015 campaign targeting the data of South Korean organizations, mainly in manufacturing. Duuzer, which is designed to work with 32-bit and 64-bit Windows versions, opens a back door through which bad actors can gather system information.Â In this situation, the Rising Sun implant gathers and encrypts data from the victim, and fetches the victim devicesâ€™ computer name, IP address data, native system information and more.