Rising Sun

Rising Sun is a malicious software (malware) that shares significant similarities with the Lazarus Group’s Duuzer implant. It uses source code from the Duuzer backdoor, a malware first used in a 2015 campaign that targeted South Korean organizations, primarily in manufacturing. The Rising Sun malware was observed in attacks prior to the discovery of 'Sharpshooter' and shares the tactics, techniques, and procedures (TTPs) seen in operations attributed to the Lazarus group. Researchers have noted that all Rising Sun implants were based on the original Backdoor Duuzer source code. This malware operates as a second-stage implant, performing reconnaissance on the victim's network. Its main function is to gather and encrypt data from the victim, including the victim devices’ computer name, IP address data, native system information, and more. This fully modular backdoor has been used in various cyberattacks since at least 2016, according to researchers Ryan Sherstobitoff and Asheer Malhotra from McAfee, along with the company's Advanced Threat Research Team (ATR). The connection between Rising Sun and Lazarus group is further reinforced by their similar methods of operation. Both groups have used fake job recruitment campaigns to disguise their attacks. Moreover, Lazarus relied on similar versions of Rising Sun in activity tracked in 2017. These factors point to a strong link between the two adversaries, suggesting a shared origin or collaboration in their malicious activities.