North Korean Spear-Phishing Attack Targets U.S. Firms

autumn aperture kimsuky spear-phishing

Researchers warn that U.S. firms are being targeted with legitimate – but trojanized – documents that are often socially engineered to a tee.

Researchers have uncovered an ongoing, sophisticated malware campaign aiming at U.S.-based targets with an interest in nuclear deterrence, North Korea’s nuclear submarine program and North Korean economic sanctions.

The campaign, which researchers from Prevailion call “Autumn Aperture” and link with moderate confidence to the North Korea-based Kimsuky threat actors, sends victims trojanized documents via spear-phishing emails.

The campaign is highly sophisticated, using legitimate documents that the targets were likely expecting, which have been booby-trapped. In addition, the threat actors used anti-evasion tactics such as utilizing obscure file formats (including the Kodak FlashPix format), which make them harder to detect by antivirus products, researchers said.

Researchers did not specify the companies targeted or the specific type of malware variant linked to the campaign. When asked about the specific malware utilized in the campaign, they told Threatpost: “Unfortunately Prevailion was unable to find the payload associated with this campaign. We were able to determine that trojanized document was trying to pull down an executable HTML file. But could not find a sample to analyze. ”

The researchers said that they had seen a slew of trojanized documents being spread throughout this past summer, with the most recent wave being sent around Aug. 20.

The emails containing the attachments were socially engineered to to mimic emails that were likely anticipated by victims. For instance, one malicious document was a conference speaker’s notes, sent after his presentation at a nuclear-deterrence summit.

autumn aperture

One malicious document used in Autumn Aperture

Another was a report from a U.S. university affiliate discussing North Korea’s new ballistic missile submarine (SSB) capabilities; while yet another impersonated the U.S. Department of Treasury and sent a renewal notice for a sanctions license.

The most recent document associated with the campaign, modified on Aug. 20, was titled “NK new SSB shown with Kim 22-7-2019;” it featured a report on the construction of a new SSB facility. Document metadata shows that it was created by a U.S. based university affiliate and was modified by the threat actors.

When victims viewed the documents in an application, the malware would display a prompt to enable macros. Once macros were enabled, the document would then display the content while secretly installing malware onto the victims’ system.

“These threat actors’ [tactics, techniques and procedures] are evolving and continue to be refined with each new operation,” Danny Adamitis and Elizabeth Wharton, both with Prevailion, warned in a Wednesday post. “While this type of operation did require some user interaction (pressing the macro button), the malware would do the rest in the background, hidden from the victim.”

Threat actors also bolstered their campaign with new tricks that made the malicious documents more difficult to spot.

One newly added feature would enumerate the host machine and experiment with password-protecting certain documents. Autumn Aperture also added a new feature that called Windows Management Instrumentation (WMI) — the infrastructure for management data and operations on Windows-based operating systems — to determine if it was safe to obtain the next payload on the host machine. It did this by obtaining a list of running processes and services from WMI, then comparing that output to a list of known antivirus products.

In July, threat actors added a script to the dropper that would check for the presence of antivirus products from Malwarebytes, Microsoft (Windows Defender) and McAfee, as well as (starting in August) scripts to detect Sophos and Trend Micro.

And finally, in recent campaigns, threat actors embedded the malware in a Kodak FlashPix file format (FPX). FPX is a complex image file format intended for use with photographs.

According to VirusTotal testing, the FPX file format has a significantly lower detection rate than most, dropping the initial detection rate to eight out of 57 AV products; whereas the standard file format for photos, VBA, had an initial detection rate of  23 out of 57.

“This technique followed a wider trend that we are observing across multiple threat-actor groups, in which they socially engineer victims with an image rather than relying on an exploit,” researchers said. “Several actors are creating more robust droppers to better protect their tool sets and increase their chances of operating without discovery. These changes reflect a highly motivated threat actor, likely to continue performing operations.”

The Kimsuky threat group, which was linked to the campaign, has been on the radar since 2018, and is known for targeting South Korean political organizations and think tanks. The APT in 2018 “renewed its arsenal with a completely new framework designed for cyber-espionage and used in a spear-phishing campaign,” according to Kaspersky researchers.

Kaspersky researchers also said that the Kimsuky group has extended its activities to include individuals and companies in the cryptocurrency exchanges sector, mainly in South Korea.

Researchers with Prevailion warned of future ongoing attacks, and said organizations should assess existing risk profiles, review emergency response plans and ensure that employees are educated.

“Given the broad scope of entities targeted by Autumn Aperture, there is an increased likelihood that a third party within an organization’s ecosystem is at risk of exposure,” they said.

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.