Sponsored By

An Image Can Poison Just as Well as an Exploit Can

An emerging and increasingly sophisticated threat campaign is employing obscure file formats.

Larry Loeb

September 13, 2019

3 Min Read

Research from business startup Prevailionperformed by Danny Adamitis and Elizabeth Wharton has found an emerging and increasingly sophisticated threat campaign employing obscure file formats. After detecting related trojanized documents -- all discussing nuclear deterrence as well as North Korea's nuclear submarine program and economic sanctions -- the people at Prevailion has dubbed the campaign "Autumn Aperture." They did not say if they have also given it a "cute" emoji.

The new campaign is assessed by Prevailion experts to be an expansion of a coordinated effort to target US-based entities. They associate it with "moderate" confidence to the Kimsuky -- a.k.a. "Smoke Screen" -- threat actors and to them is a likely continuation of previously reported "Baby Shark" activity that targeted US national security think tanks.

The Prevailion research will be discussed at a conference on September 12.

Consistent with trends that have been previously seen, the threat actors continued to trojanize genuine documents in this campaign. Throughout it, when victims viewed the documents in an application, the malware would display a prompt to enable macros. Once macros were enabled, the document would then display the content -- in this case, a report on the construction of a new ballistic missile submarine (SSB) facility -- while surreptitiously installing additional malware on the victim's computer.

One of the alternate documents used by the threat actors was previously referenced in a report by ESTSecurity, and its embedded domain was included in a report by the Agence Nationale de la Sécurité des Systèmes d'Information (ANNSI).

The threat actors have added new functionalities, such as an added feature to enumerate the host machine as well as experimenting with password protecting their documents.

Another feature called Windows Management Instrumentation (WMI) to determine if it was safe to obtain the next payload from the C&C server onto the host machine. The dropper would obtain a list of running processes and services, then compare that output to a list of known anti-virus products. The script would check for the presence of Malware Bytes, Windows Defender, Mcafee, Sophos and TrendMicro. Prevailion says that the last new feature of the script would attempt to obtain the application's version number -- in most cases this would likely be the version of Microsoft Word -- and then send the result to another actor-compromised domain, pirha[.]net/p/php?op=[version number].

To hide this new functionality, the threat actor embedded it in a Kodak FlashPix file format (FPX). This was for stealth, since the standard file format, VBA, had an initial detection rate of 23/57. But the FPX file format has a significantly lower detection rate, at 8/57 AV products, according to VirusTotal.

This technique followed a wider trend that Prevailion says it has been observing across multiple threat actor groups, in which they socially engineer victims with an image rather than relying on an exploit.

People being people, the future will show if this kind of technique furthers the attackers' penetration rate.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Read more about:

Security Now

About the Author(s)

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights