Blog The Social Engineering Behind Operation Sharpshooter, Rising Sun

Bromium blog: Social Engineering behind Operation Sharpshooter serving up Rising Sun

April 3, 2019 Category: Threats By: Kimberly Becan Comments: 0

The Social Engineering Behind Operation Sharpshooter, Rising Sun

We are learning more about Operation Sharpshooter, an espionage campaign that targeted financial services, government and critical infrastructure primarily focused in German, Turkey, the UK and the US.  It is important to show how easily this attack was delivered to end users and how quickly it can infect your enterprise. Despite millions invested in user awareness training and anti-phishing tests, enterprises are still breached daily by simple social engineering, which relies on two key human nature “hacks” that can trick even the most skeptical users: Overload and Fear of Missing Out (FOMO).


Maybe My Invoice Is Overdue?

Everyone is overloaded, at work and with our personal lives, and important things sometimes slip through the cracks. Panic sets in when we think we missed a payment and our mind races: Did I overlook an email? Did the bill get lost in the mail? Or does this bill notify me via an app?

Since clicking a links seems safer than opening an attachment, many users see little risk and succumb to the “overload” hack. They click the link. Strike one.

Your invoice is overdue

Unfortunately, this link leads directly to a weaponized document. The user is already committed to figuring out what bill was missed. Since the file was not blocked, then it must be OK?

The document is open

Now the document is opened. Strike two.

Maybe my Office Suite Is out of date?

If a user has already “invested” two clicks into this process, s/he is not likely to be deterred from the third and most deadly click: enabling active content.

Enabling active content

Since users are afraid of missing out on something important, they succumb to the “FOMO” hack and enable the malicious content, quite literally inviting the malware into the organization. Strike three.

Word promptly launches the Command Prompt, then downloads and runs a malicious executable.