North Koreans Spear Phish U.S. Victims With Social Engineering Hidden In Obscure Kodak FlashPix Format


A suspected North Korean threat actor has been sending spear phishing emails targeting US organizations, according to Prevailion researchers Danny Adamitis and Elizabeth Wharton. Adamitis and Wharton recently joined the CyberWire’s Research Saturday podcast to describe the phishing campaign, which they call “Autumn Aperture.”

The attackers behind this campaign are sending Word documents containing real speaker notes from a conference the victim has attended or is interested in. Before the recipients can view the notes, they’re asked to enable macros in the documents. Once this is done, a macro will quietly install malware, while the recipient is presented with the speaker notes.

The phishing emails have a very high success rate, and the researchers believe each one is individually tailored to each victim. Adamitis explained that nation-state hackers usually don’t need to use sophisticated techniques to gain a foothold because phishing is so efficient.

“It's proving to be highly effective,” Adamitis said. “It's very cost effective for a threat actor. You can go on GitHub and you can download a number of projects and they will help you build these macros in under an hour or so. And it doesn't actually cost this threat actor anything.”

Another notable aspect of the campaign is that the attackers embedded the Visual Basic file in an old, obscure file format known as “Kodak FlashPix.” This reduced their antivirus detection rate by almost two-thirds, since most antivirus scanners focus on the more frequently used Visual Basic files.

“It’s like nobody’s looking for pagers these days, or criminals using a messenger to get their message across rather than sending it,” Wharton explained. “You know, you send a courier rather than sending a text or other electronic. And by taking it off the grid, it permits the higher rate of success.”

Adamitis stressed that someone who knows not to enable macros will be safe from this campaign, explaining that “if you can actually stop there before you hit the enable button, that nullifies the rest of the attack.” Wharton also emphasized that training is the key to preventing these attacks.

“It's a sophisticated attack from that point forward, but easy enough to stop with the proper amount of training,” said Wharton.

Autumn Aperture is one of many examples showing that advanced state-sponsored threat groups rely on the same type of social engineering tactics used by low-level criminals. New-school security awareness training can help your employees defend themselves against targeted attacks.

The CyberWire has the story:

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews