KnowBe4 Security Awareness Training Blog

North Koreans Spear Phish U.S. Victims With Social Engineering Hidden In Obscure Kodak FlashPix Format

Written by Stu Sjouwerman | Oct 1, 2019 11:23:44 PM

A suspected North Korean threat actor has been sending spear phishing emails targeting US organizations, according to Prevailion researchers Danny Adamitis and Elizabeth Wharton. Adamitis and Wharton recently joined the CyberWire’s Research Saturday podcast to describe the phishing campaign, which they call “Autumn Aperture.”

The attackers behind this campaign are sending Word documents containing real speaker notes from a conference the victim has attended or is interested in. Before the recipients can view the notes, they’re asked to enable macros in the documents. Once this is done, a macro will quietly install malware, while the recipient is presented with the speaker notes.

The phishing emails have a very high success rate, and the researchers believe each one is individually tailored to each victim. Adamitis explained that nation-state hackers usually don’t need to use sophisticated techniques to gain a foothold because phishing is so efficient.

“It's proving to be highly effective,” Adamitis said. “It's very cost effective for a threat actor. You can go on GitHub and you can download a number of projects and they will help you build these macros in under an hour or so. And it doesn't actually cost this threat actor anything.”

Another notable aspect of the campaign is that the attackers embedded the Visual Basic file in an old, obscure file format known as “Kodak FlashPix.” This reduced their antivirus detection rate by almost two-thirds, since most antivirus scanners focus on the more frequently used Visual Basic files.

“It’s like nobody’s looking for pagers these days, or criminals using a messenger to get their message across rather than sending it,” Wharton explained. “You know, you send a courier rather than sending a text or other electronic. And by taking it off the grid, it permits the higher rate of success.”

Adamitis stressed that someone who knows not to enable macros will be safe from this campaign, explaining that “if you can actually stop there before you hit the enable button, that nullifies the rest of the attack.” Wharton also emphasized that training is the key to preventing these attacks.

“It's a sophisticated attack from that point forward, but easy enough to stop with the proper amount of training,” said Wharton.

Autumn Aperture is one of many examples showing that advanced state-sponsored threat groups rely on the same type of social engineering tactics used by low-level criminals. New-school security awareness training can help your employees defend themselves against targeted attacks.

The CyberWire has the story: https://thecyberwire.com/podcasts/cw-podcasts-rs-2019-09-28.html