Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

9/13/2019
09:55 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

An Image Can Poison Just as Well as an Exploit Can

An emerging and increasingly sophisticated threat campaign is employing obscure file formats.

Research from business startup Prevailionperformed by Danny Adamitis and Elizabeth Wharton has found an emerging and increasingly sophisticated threat campaign employing obscure file formats. After detecting related trojanized documents -- all discussing nuclear deterrence as well as North Korea's nuclear submarine program and economic sanctions -- the people at Prevailion has dubbed the campaign "Autumn Aperture." They did not say if they have also given it a "cute" emoji.

The new campaign is assessed by Prevailion experts to be an expansion of a coordinated effort to target US-based entities. They associate it with "moderate" confidence to the Kimsuky -- a.k.a. "Smoke Screen" -- threat actors and to them is a likely continuation of previously reported "Baby Shark" activity that targeted US national security think tanks.

The Prevailion research will be discussed at a conference on September 12.

Consistent with trends that have been previously seen, the threat actors continued to trojanize genuine documents in this campaign. Throughout it, when victims viewed the documents in an application, the malware would display a prompt to enable macros. Once macros were enabled, the document would then display the content -- in this case, a report on the construction of a new ballistic missile submarine (SSB) facility -- while surreptitiously installing additional malware on the victim's computer.

One of the alternate documents used by the threat actors was previously referenced in a report by ESTSecurity, and its embedded domain was included in a report by the Agence Nationale de la Sécurité des Systèmes d'Information (ANNSI).

The threat actors have added new functionalities, such as an added feature to enumerate the host machine as well as experimenting with password protecting their documents.

Another feature called Windows Management Instrumentation (WMI) to determine if it was safe to obtain the next payload from the C&C server onto the host machine. The dropper would obtain a list of running processes and services, then compare that output to a list of known anti-virus products. The script would check for the presence of Malware Bytes, Windows Defender, Mcafee, Sophos and TrendMicro. Prevailion says that the last new feature of the script would attempt to obtain the application's version number -- in most cases this would likely be the version of Microsoft Word -- and then send the result to another actor-compromised domain, pirha[.]net/p/php?op=[version number].

To hide this new functionality, the threat actor embedded it in a Kodak FlashPix file format (FPX). This was for stealth, since the standard file format, VBA, had an initial detection rate of 23/57. But the FPX file format has a significantly lower detection rate, at 8/57 AV products, according to VirusTotal.

This technique followed a wider trend that Prevailion says it has been observing across multiple threat actor groups, in which they socially engineer victims with an image rather than relying on an exploit.

People being people, the future will show if this kind of technique furthers the attackers' penetration rate.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26895
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
CVE-2020-26896
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.