Hackers linked to North Korea have been targeting entities in the United States using evasion techniques that involve an uncommon file format, U.S.-based business compromise intelligence startup Prevailion reported on Wednesday.
The activities of the cyber-espionage group, tracked as Kimsuky and Smoke Screen, were brought to light in 2013, after it had launched highly targeted attacks against entities in South Korea and China.
A report published in April by South Korea-based ESTsecurity describes attacks launched by Kimsuky against entities in South Korea and the United States.
Prevailion observed a campaign launched this summer by the threat actor against entities in the U.S., with the most recent attacks initiated around August 20, based on the documents used by the attackers as bait.
As part of this campaign, which the cybersecurity firm has dubbed “Autumn Aperture,” the hackers sent out emails with specially crafted Word documents that the targeted user was likely to open. One of the files contained the notes of an individual who gave a presentation at the Nuclear Deterrence Summit earlier this year in Virginia. Another document was a report from a U.S.-based university affiliate discussing a North Korean ballistic missile submarine. The last document described in Prevailion’s report appeared to originate from the U.S. Treasury Department and contained a North Korea sanctions license.
The document from the Nuclear Deterrence Summit was also referenced by ESTsecurity in its April report. Prevailion believes the file was likely used as a lure in attacks targeting individuals who attended the conference or ones who might be interested in the topics covered at the event.
In some cases, a variant of this document was delivered through a Bitly link that pointed to the file. An analysis of one URL revealed that the link had been clicked over 400 times.
When opened, each of the Word documents instructed the targeted user to enable macros before displaying content. This is a widely used technique that allows attackers to install malware on the victim’s device.
The trojanized documents delivered by Kimsuky initiated the execution of a chain of actions designed to analyze the compromised system, including for the presence of security solutions from Malwarebytes, Microsoft, McAfee, Sophos and Trend Micro.
One interesting evasion technique used by the threat group involves the use of the Kodak FlashPix file format (FPX). The hackers used this file format since at least July to hide new malware functionality designed to obtain the version of the application used to open the bait document.
“According to VirusTotal testing, the FPX file format has a significantly lower dectection rate, dropping the initial detection rate to 8/57 AV products. Whereas the standard file format, VBA, had an initial detection rate of 23/57,” Prevailion explained in a blog post. “This was likely done as AV products have numerous signatures designed to inspect VBA files; while FPX files have not received the same level of scrutiny. As a result, FPX files are less likely to be subsequently flagged as malicious.”
Related: Researchers Say Code Reuse Links North Korea’s Malware
Related: U.S. Cyber Command Adds North Korean Malware Samples to VirusTotal
