Taking Over a Hackers’ Server Might Provide Proof That Could Link Rising Sun and the Lazarus Group

Researchers suspected that Rising Sun was linked with the Lazarus Group of cybercriminals back in 2018 when it was first discovered. However, more proof of such a link was needed. The missing evidence was obtained in 2019 when authorities handed McAfee cybersecurity experts a server used for the Operation Sharpshooter during which hackers targeted various companies around the globe with Rising Sun. This malicious application is a sophisticated tool that is capable of gathering different information about an infected device. If you wish to find out more about it as well as the hackers who might be behind it, you should continue reading our article. As for erasing such a threat, it is advisable to use reputable antimalware tools or leave this task to a team of experienced cybersecurity experts.

One of the things that allowed to suspect a connection between Rising Sun and the Lazarus Group was the source code of the malicious application. Researchers say that it was used before in a different threat named Trojan Duuzer that is known to belong to the mentioned cybercriminals. It is believed that the Lazarus Group is made from North Korean hackers. Attacks associated with it date back to 2009, and over the years, cybersecurity specialists have discovered many more threats connected to these hackers. The Lazarus Group was even suspected of releasing the vicious WannaCry Ransomware, but there was not enough proof of it.

Rising Sun did not spread as wide as WannaCry Ransomware, but it caused enough trouble to different organizations around the world. According to researchers, hackers behind the malware were after government institutions as well as companies in Finance, Energy, Technology, Education, and other sectors. Also, it looks like all infected devices belonged to English-speaking companies. Based on the Rising Sun capabilities, it seems hackers were interested in learning the infected computers’ names, network adapter information, user names, IP address information, native system information, and OS product names. Such data could be used for numerous purposes, such as to find weaknesses that could be misused to hack a company’s network, system, etc.

The campaign during which Rising Sun and other threats were spread in 2018 was called Operation Sharpshooter. The contents of the discovered server revealed that it was used for Operation Sharpshooter. Because of the found server, researchers are now almost sure that the Lazarus Group released the Rising Sun. It looks like one of the uses of this server was to store the malware’s implants, which were downloaded after victims launched malicious email attachments. Researchers say that once opened, the attachments run malicious macro codes, which downloaded Rising Sun.

To settle in the malicious application might place its data in the %LOCALAPPDATA% directory. Its folder could have a random title, for example, Strategic planning. Also, to make sure the threat is relaunched after the infected system restarts, its copy might be placed in Startup folders. Removing such data might allow victims to erase Rising Sun manually, but we believe it would be safer to use a reliable antimalware tool or employ a specialist that could eliminate this sophisticated malware.

Besides removing Rising Sun as soon as possible, there is something else we advise to companies who fear to encounter such threats. To be more precise, we recommend being prepared. There are several things that an organization can do to be ready. For starters, it is essential to determine what kind of weaknesses your company’s computers, network, and systems might have. Naturally, the next step would be eliminating detected vulnerabilities or ensuring that hackers could not misuse them.

Moreover, it might be surprising, but a lot of attacks become successful due to human error. To prevent this, we advise teaching your employees about various types of attacks, how to recognize them, and what to do. To find your organization's weaknesses and to train your employees, you could employ a team of cybersecurity experts. Lastly, we recommend using reputable antimalware tools that could make the task of protecting your systems easier.


Ryan Sherstobitoff, Asheer Malhotra. December 12, 2018. ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure. McAfee.

Zack Whittaker. March 4, 2019. Researchers obtain a command server used by North Korean hacker group. TechCrunch.