A hacking group linked to North Korea by cybersecurity researchers has been targeting U.S.-based entities with malicious documents leveraging obscure file formats, namely Kodak FlashPix (FPX) files to hide its tracks from antivirus software. The new sophisticated campaign dubbed “Autumn Aperture” by the experts at Prevailion appears to be the work of Kimsuky group (or “Smoke Screen”) which is known by its previous attacks on South Korean think tanks, industry, and nuclear power operators.
The researchers uncovered the campaign after detecting several malicious documents discussing nuclear deterrence, North Korea’s nuclear submarine program, and economic sanctions on the North Korean regime. The trojanized Microsoft Word documents were delivered using BEC (Business email compromise) method and contained embedded Kodak FlashPix (FPX) files hiding the malware. Once the victim opened the document, the malware would display a prompt to enable macros to view the content and after the user enabled the macros, the malware would stealthily install additional malicious payloads on the victim's computer.
The Kimsuky group has been using FPX file format since at least July 2019, according to the report. Attackers leverage the FPX files for a multitude of reasons. One of them is that such files have a significantly lower detection rate (8/57 AV products, according to VirusTotal testing) than standard Visual Basic for Applications (VBA) files (23/57 AV solutions).
“This was likely done as AV products have numerous signatures designed to inspect VBA files; while FPX files have not received the same level of scrutiny. As a result, FPX files are less likely to be subsequently flagged as malicious,” explained Prevailion team.
Furthermore, the attackers added several new functionalities that allowed them to obtain usernames and passwords by performing host-based enumeration using FPX file formats and to check the presence of certain antivirus products (Malwarebytes, Windows Defender, McAfee, Sophos, or TrendMicro) by running calls to Windows Management Instrumentations (WMIs).
Indicators of Compromise (IoCs)