An Image Can Poison Just as Well as an Exploit Can

Research from business startup Prevailionperformed by Danny Adamitis and Elizabeth Wharton has found an emerging and increasingly sophisticated threat campaign employing obscure file formats. After detecting related trojanized documents -- all discussing nuclear deterrence as well as North Korea's nuclear submarine program and economic sanctions -- the people at Prevailion has dubbed the campaign "Autumn Aperture." They did not say if they have also given it a "cute" emoji.

The new campaign is assessed by Prevailion experts to be an expansion of a coordinated effort to target US-based entities. They associate it with "moderate" confidence to the Kimsuky -- a.k.a. "Smoke Screen" -- threat actors and to them is a likely continuation of previously reported "Baby Shark" activity that targeted US national security think tanks.

The Prevailion research will be discussed at a conference on September 12.

Consistent with trends that have been previously seen, the threat actors continued to trojanize genuine documents in this campaign. Throughout it, when victims viewed the documents in an application, the malware would display a prompt to enable macros. Once macros were enabled, the document would then display the content -- in this case, a report on the construction of a new ballistic missile submarine (SSB) facility -- while surreptitiously installing additional malware on the victim's computer.

One of the alternate documents used by the threat actors was previously referenced in a report by ESTSecurity, and its embedded domain was included in a report by the Agence Nationale de la Sécurité des Systèmes d'Information (ANNSI).

The threat actors have added new functionalities, such as an added feature to enumerate the host machine as well as experimenting with password protecting their documents.

Another feature called Windows Management Instrumentation (WMI) to determine if it was safe to obtain the next payload from the C&C server onto the host machine. The dropper would obtain a list of running processes and services, then compare that output to a list of known anti-virus products. The script would check for the presence of Malware Bytes, Windows Defender, Mcafee, Sophos and TrendMicro. Prevailion says that the last new feature of the script would attempt to obtain the application's version number -- in most cases this would likely be the version of Microsoft Word -- and then send the result to another actor-compromised domain, pirha[.]net/p/php?op=[version number].

To hide this new functionality, the threat actor embedded it in a Kodak FlashPix file format (FPX). This was for stealth, since the standard file format, VBA, had an initial detection rate of 23/57. But the FPX file format has a significantly lower detection rate, at 8/57 AV products, according to VirusTotal.

This technique followed a wider trend that Prevailion says it has been observing across multiple threat actor groups, in which they socially engineer victims with an image rather than relying on an exploit.

People being people, the future will show if this kind of technique furthers the attackers' penetration rate.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.