A hacking group linked to North Korea by cybersecurity researchers has been targeting U.S.-based entities with malicious documents leveraging obscure file formats, namely Kodak FlashPix (FPX) files to hide its tracks from antivirus software. The new sophisticated campaign dubbed “Autumn Aperture” by the experts at Prevailion appears to be the work of Kimsuky group (or “Smoke Screen”) which is known by its previous attacks on South Korean think tanks, industry, and nuclear power operators. 

The researchers uncovered the campaign after detecting several malicious documents discussing nuclear deterrence, North Korea’s nuclear submarine program, and economic sanctions on the North Korean regime. The trojanized Microsoft Word documents were delivered using BEC (Business email compromise) method and contained embedded Kodak FlashPix (FPX) files hiding the malware. Once the victim opened the document, the malware would display a prompt to enable macros to view the content and after the user enabled the macros, the malware would stealthily install additional malicious payloads on the victim's computer. 

The Kimsuky group has been using FPX file format since at least July 2019, according to the report. Attackers leverage the FPX files for a multitude of reasons. One of them is that such files have a significantly lower detection rate (8/57 AV products, according to VirusTotal testing) than standard Visual Basic for Applications (VBA) files (23/57 AV solutions).

“This was likely done as AV products have numerous signatures designed to inspect VBA files; while FPX files have not received the same level of scrutiny. As a result, FPX files are less likely to be subsequently flagged as malicious,” explained Prevailion team.

Furthermore, the attackers added several new functionalities that allowed them to obtain usernames and passwords by performing host-based enumeration using FPX file formats and to check the presence of certain antivirus products (Malwarebytes, Windows Defender, McAfee, Sophos, or TrendMicro) by running calls to Windows Management Instrumentations (WMIs).

Indicators of Compromise (IoCs)

File Hashes

039285c83a25291bd91608daaac2941e4abc4c6eff97e02fe0991918e101201f

Bfca0a3a506b770948475b09bee6e5613e2080e37802b52f8162366a83c4c3ae

a09aec4ecafabb4ae607bb25cbdb96f00ccc1d2dd49e941e07cd4ad292a58441

E8145f09c83163bbe429f5a5c282b57e7921e7b40339820389522146516604b1

c60e9c71460e4f583da8179a606eb2f84412e003b00096c9f699fa3d2854eb7b

D1b5d606c866c304c3eb28fc52ed700c6b292e6e4387e0dac1a895e231bfe5b3

9255280904f85d01545d295a31038678d697325385be6c7c01435d541f16b043

23c18fe6675b4dad5e1354718fa9bbb096ded4293948d318d0057b51642c4cbb

63c45dd760256bb2bee1eeb9e7d61601c90a752ff46832df39ca1a8d2376b281

Aead266f97c936799f4d5f526482d41f74daf86f8fcf49976eecbc6260b59274

327426b389a87fb41c5150f18c8a3b1b5c671eb08107a3a6917baea3db686555

Bf838c2e46696f79964709e29880604d7172f2a3ab0f3f41d7ff8216f053c557

0dc17133b9d54b8d38f5a4f4c49eb0cee7ff2c80b1ea614fb59ca49c3721440b

F408dee7fa76179d826885c5c6f38acbcc11f3e3abba1f1f58068cdf833b4317

3b2701a7d49a8d6002a2a202bac9b18b4bc917009da01591ab5b66f183f9c8e9

01313c4e2c821d7d57ec5d60a7b4f6364e3a0cb3715e8a626853dd9a8ef005b7

Fc3a75ace13d53d00aef19b7b72b2742ecf5734292680d3106176cf64d1fee18

B862add44ef0d3418aa82fd674da2d7446c7a293844a4986414f96d8aae2d58f

Dc5d140c772a63252753f51f98feb4066996a1bc77ff13aa77d4764fccd01cd4

4aaaaf94ba870fa7b500883154c7da1f9639ecdd76af42ee9fe408970d6f24d3

82286cf6369eddd2e79d005a435623abe2db642c216d38550411865acf84210e

9c6f6db86b5ccdda884369c9c52dd8568733e126e6fe9c2350707bb6d59744a1

Ac4f6bdd6d4ef009f1108c4c8a3d58e0a19d4f73b239202dd601b0aeba5ceb54

F602b7ed04cd538bead5a7fe79913ea273546a996baee33fedf2ecd417efae78

Ad0d0c84025f978975a7cdde4eabc2457ba414a696601d33ea6e071bbbfbf5f3

5531d6a9b70c612a897a80b43d001f9329badb8b26be27d14645f42abb689400

URLs 

hxxps://pirha[.]net/1.php?op=

hxxps://somalidoc[.]com/generator/data/js/Vamva0[.]hta

hxxps://www[.]webfindsolucoes[.]com/wp-includes/widgets/fred/Rnlnb0[.]hta

hxxps://www[.]eventosatitlan[.]com/includes/includes/js/ja/Qbjoo0[.]hta

hxxps://www[.]atnitalia[.]com/wp-includes/js/tinymce/utils/share/Lfvbu0.hta

hxxp://atnitalia[.]com/wp-includes/js/tinymce/utils/share/upload[.]php

hxxp://evangelia[.]edu/image/bin/Rjboi0[.]hta

hxxps://login-main[.]bigwnet[.]com/attachment/view/Msgxo0[.]hta