Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

9/13/2019
09:55 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

An Image Can Poison Just as Well as an Exploit Can

An emerging and increasingly sophisticated threat campaign is employing obscure file formats.

Research from business startup Prevailionperformed by Danny Adamitis and Elizabeth Wharton has found an emerging and increasingly sophisticated threat campaign employing obscure file formats. After detecting related trojanized documents -- all discussing nuclear deterrence as well as North Korea's nuclear submarine program and economic sanctions -- the people at Prevailion has dubbed the campaign "Autumn Aperture." They did not say if they have also given it a "cute" emoji.

The new campaign is assessed by Prevailion experts to be an expansion of a coordinated effort to target US-based entities. They associate it with "moderate" confidence to the Kimsuky -- a.k.a. "Smoke Screen" -- threat actors and to them is a likely continuation of previously reported "Baby Shark" activity that targeted US national security think tanks.

The Prevailion research will be discussed at a conference on September 12.

Consistent with trends that have been previously seen, the threat actors continued to trojanize genuine documents in this campaign. Throughout it, when victims viewed the documents in an application, the malware would display a prompt to enable macros. Once macros were enabled, the document would then display the content -- in this case, a report on the construction of a new ballistic missile submarine (SSB) facility -- while surreptitiously installing additional malware on the victim's computer.

One of the alternate documents used by the threat actors was previously referenced in a report by ESTSecurity, and its embedded domain was included in a report by the Agence Nationale de la Sécurité des Systèmes d'Information (ANNSI).

The threat actors have added new functionalities, such as an added feature to enumerate the host machine as well as experimenting with password protecting their documents.

Another feature called Windows Management Instrumentation (WMI) to determine if it was safe to obtain the next payload from the C&C server onto the host machine. The dropper would obtain a list of running processes and services, then compare that output to a list of known anti-virus products. The script would check for the presence of Malware Bytes, Windows Defender, Mcafee, Sophos and TrendMicro. Prevailion says that the last new feature of the script would attempt to obtain the application's version number -- in most cases this would likely be the version of Microsoft Word -- and then send the result to another actor-compromised domain, pirha[.]net/p/php?op=[version number].

To hide this new functionality, the threat actor embedded it in a Kodak FlashPix file format (FPX). This was for stealth, since the standard file format, VBA, had an initial detection rate of 23/57. But the FPX file format has a significantly lower detection rate, at 8/57 AV products, according to VirusTotal.

This technique followed a wider trend that Prevailion says it has been observing across multiple threat actor groups, in which they socially engineer victims with an image rather than relying on an exploit.

People being people, the future will show if this kind of technique furthers the attackers' penetration rate.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.