Rising Sun

The Rising Sun is a backdoor Trojan that collects system information and grants control over the PC to a remote attacker. Its campaign is targeting multiple nations on all continents, emphasizing military and defense-related networks. Since this high-level threat grants potentially total access to a PC, the users should disable all network connections immediately before removing the Rising Sun with a suitable anti-malware program, and re-secure all compromised credentials.

A Dark Sun is Rising on All Nations Simultaneously

A highly-polished campaign by unknown threat actors' team is attacking governments from the United States to Brazil to Europe, Japan and Russia. Although the initial factors in the setup of the Trojans implied the Lazarus Group (also of note with the Jaku Botnet and the Duuzer Trojan), the further analysis by McAfee researchers suggests a different identity for its criminal authors. In the case of the backdoor Trojan of the hour, the Rising Sun, the targets are ominous especially: military, defense, energy – including nuclear – and telecommunications.

Installers for the otherwise-sophisticated the Rising Sun infections are using a traditional and very popular exploit: corrupted Word macros. The vector is spam e-mails disguising themselves as job recruitment operations. Opening the attached document and enabling the macro triggers a drive-by-download, including an in-memory injection, that retrieves the Rising Sun from a C&C server and installs it. There is a strong possibility of further threats downloading through the Rising Sun, although malware experts can't confirm additional ones, for now.

An overview of the Rising Sun's payload includes all of the below features:

• The Rising Sun gives the threat actor comprehensive information regarding the environment and system settings, such as network adapter configurations, the version of Windows and any IP addresses in use.
• The Rising Sun provides the remote attacker with direct control over the files, such as renaming, moving, or deleting them.
• The Rising Sun may terminate other programs at will, or launch new ones.
• The backdoor Trojan uses RC4 encryption for encrypting its communications and data uploads, which is a typical means for Trojans concealing themselves from detection.

Putting Out the Lights of the Rising Sun

The competence and wealth of resource investment in the Rising Sun's campaign also serve the unintended function of showcasing the dependency of threat actors on simple and crude infection vectors – even for the most talented of criminal programmers. Modern versions of Word disable macros by default, requiring that users re-enable them deliberately for the drive-by-download to happen. Users also could prevent such an attack by letting their anti-malware tools analyze the document before opening it, which should detect the exploit's presence readily.

Malware experts recommend treating sensitive information on an infected PC as compromised until further notice and isolate the machine from any other network-connected or removable devices. Although military and defense entities are its primary targets, the Rising Sun also is in deployment against various secondary ones, such as healthcare, transportation and financial networks. Major AV industry entities are updating their databases for accommodating this threat, and users can let their anti-malware solutions delete the Rising Sun safely.

For all of the potency of its payload, the Rising Sun is just as weak to standard security protocols as the average Hidden Tear clone from a 'script kiddy' style threat actor. Workers not paying attention to what they're opening are, inevitably, the greatest, unintentional abettor of backdoor Trojans and other threats, alike.