Blog The Social Engineering Behind Operation Sharpshooter, Rising Sun

Bromium blog: Social Engineering behind Operation Sharpshooter serving up Rising Sun

April 3, 2019 Category: Threats By: Kimberly Becan Comments: 0

The Social Engineering Behind Operation Sharpshooter, Rising Sun

We are learning more about Operation Sharpshooter, an espionage campaign that targeted financial services, government and critical infrastructure primarily focused in German, Turkey, the UK and the US.  It is important to show how easily this attack was delivered to end users and how quickly it can infect your enterprise. Despite millions invested in user awareness training and anti-phishing tests, enterprises are still breached daily by simple social engineering, which relies on two key human nature “hacks” that can trick even the most skeptical users: Overload and Fear of Missing Out (FOMO).

 

Maybe My Invoice Is Overdue?

Everyone is overloaded, at work and with our personal lives, and important things sometimes slip through the cracks. Panic sets in when we think we missed a payment and our mind races: Did I overlook an email? Did the bill get lost in the mail? Or does this bill notify me via an app?

Since clicking a links seems safer than opening an attachment, many users see little risk and succumb to the “overload” hack. They click the link. Strike one.

Your invoice is overdue

Unfortunately, this link leads directly to a weaponized document. The user is already committed to figuring out what bill was missed. Since the file was not blocked, then it must be OK?

The document is open

Now the document is opened. Strike two.

Maybe my Office Suite Is out of date?

If a user has already “invested” two clicks into this process, s/he is not likely to be deterred from the third and most deadly click: enabling active content.

Enabling active content

Since users are afraid of missing out on something important, they succumb to the “FOMO” hack and enable the malicious content, quite literally inviting the malware into the organization. Strike three.

Word promptly launches the Command Prompt, then downloads and runs a malicious executable.

Word promptly launches the Command Prompt

The thing is, this isn’t a bug, an exploit, or a Zero-day attack. It’s simple, garden-variety social engineering, preying on busy users and “living off the land” using built-in features of the Microsoft Office Suite.

Once they gain a foothold on a single machine, the attacker is free to download additional malware, escalate privileges, steal credentials, and move laterally within the organization.

Nobody’s perfect. People slip up. With application isolation and control, your users — and your entire organization — are protected against the inevitable foibles of human nature. Overload and FOMO aren’t going away anytime soon so isolate risky activity on endpoints to be sure!

Subscribe

Enter your email address to receive notifications.

About the Author

Kimberly Becan

Kimberly Becan
Director of Product Marketing at Bromium

Recent Posts

Categories
2019-04-03T10:24:26+00:00April 3rd, 2019|Threats|

Leave A Comment

See Bromium in Action

Request a demo and see how Bromium isolation will put an end to malware and attacks once and for all.

Request a Demo
Share
Tweet
Share

By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close