Anatomy of a, still ongoing, attack…:
[…] The espionage campaign began when a splay of malicious documents were sent to targets via Dropbox. The initial attack vector is a document that contains a weaponized macro. Once downloaded, it places embedded shellcode into the memory of Microsoft Word, which acts as a simple downloader for a second-stage implant.
This next stage runs in memory and gathers intelligence. That second-stage implant is a fully modular backdoor called “Rising Sun” that performs reconnaissance on the victim’s network, according to the research.
Notably, Rising Sun uses source code from the Duuzer backdoor, a malware first used in a 2015 campaign targeting the data of South Korean organizations, mainly in manufacturing. Duuzer, which is designed to work with 32-bit and 64-bit Windows versions, opens a back door through which bad actors can gather system information. In this situation, the Rising Sun implant gathers and encrypts data from the victim, and fetches the victim devices’ computer name, IP address data, native system information and more.