Canadian firms targeted by job recruitment scam to gain company intelligence: Report

Canadian natural gas and telecom firms are among critical infrastructure organizations around the world that have been targeted by a job recruitment scam attempting to plant malware, McAfee researchers said today.

The security vendor, which dubs the campaign Operation Sharpshooter, said that so far nuclear, defense, energy, and financial companies have received email with poisoned documents likely aimed at gathering intelligence. The strategy leverages an in-memory implant to download and retrieve a second-stage implant—which McAfee calls Rising Sun—for further exploitation.

“In October and November the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States,” McAfee’s customer data has shown. “This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest.”

In addition to Canada and the U.S., the campaign has been directed at firms in Australia, Israel, France, Germany, Japan, Russia, the U.K., Iran, Spain, Egypt and others.

Researchers said the Rising Sun implant uses source code from the North Korean-based Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework. According to Kaspersky, the Lazarus Group has been working since at least 2009. However, McAfee is careful not to attribute Operation Sharpshooter to them: The “obvious links” in the malware to Lazarus could be a diversion, researchers say.

However, the report also notes this attack is similar to a 2017 campaign attributed to the Lazarus Group.

In this campaign typically a series of targeted job recruitment emails with malicious documents are being sent out. All the malicious documents had English-language job description titles for positions at unknown companies, distributed by an IP address in the United States and through the Dropbox service. The documents contain a malicious macro that leverages
embedded shellcode to inject the Sharpshooter downloader into the memory of Microsoft Word. Once the Word process is infected, the downloader retrieves the second-stage Rising Sun implant. It includes a second decoy document, presumably to confuse defenders and lead them away from the modular backdoor that’s being installed.

Infection flow of Rising Sun implant. McAfee graphic

The implant fetches information including network adapter info, computer name, user name, IP address information, native system information and opeating system  product name from the registry, hard drive details, details of processes running on the device and details of files. This data is sent to a command and control server where the attackers use it to decide their next steps.

“We have not previously observed this implant,” says McAfee. “Was this attack just a first-stage reconnaissance operation, or will there be more?”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now