• Americans officials linked to denuclearization and economic sanctions to North Korea have been receiving Trojanized documents.
  • Hackers were found using obscure file formats to bypass antivirus, which could perform host-based enumeration to obtain usernames and passwords. Prevalion, a Maryland-based cybersecurity company, suspects Kimsuky or Smoke Screen behind the attack.

What is the fuss about: Ever since the denuclearization talks between North Korea and the U.S stalled, U.S Cyber Command has been reporting and publically exposing North Korean Hacker groups for their attempts to intrude the systems.

  • Research from Maryland-based cybersecurity firm Prevailion suggests that hacking groups with its ties to North Korea are trying to infuse malware through rare file format in the systems of target users. But, with mild confidence, it proposes the names Kimsuky or Smoke Screen behind the action.
  • According to the Prevailion researchers, hackers have been sending infected documents to victims who were a part of negotiations related to denuclearization deal between the two nations, North Korea’s nuclear submarine program, and economic sanctions on the North Korean regime.

Malware fans out sneakily: Practicing a new stealth mode to escape antivirus programs, the group is hiding its malware in Kodak FlashPix (FPX) file format. The method helps malware play hooky with the antivirus programs installed on the system.

  • The attackers would embed FPX files in Microsoft Word documents to be sent to victims, and then launch malware via macro commands.
  • There are much fewer chances of FPX file formats being detected as compare to standard Visual Basic for Applications (VBA) files.

What makes the attack successful: Microsoft Office document macros have long been a top method for attackers to compromise target machines. However, the group’s idea of hiding malware in a .fpx format attached to Microsoft docs initiated around July this year. Below are the observations made by Danny Adamitis, Prevailion’s director of intelligence analysis:

  • Corrupt macros allow further download and installation of malware programs while the document may appear normal to the user.
  • Leveraging the FPX files, the hackers could perform host-based enumeration to obtain usernames and passwords.
  • The group appeared to test run queries with various antivirus and windows defender to check whether the victim’s machines are employing those before enabling the attack.

Tailing strong on the suspects: Kimsuky group has previously attacked South Korean think tanks and defense experts, and the U.S.-based experts are on their radar in the latest campaign, said Adamitis.

  • Just a few days after the U.S. Cyber Command mentioned a group’s name linked with the North Korean government, the campaign pushed a new round of trojanized documents, Adamitis said.
  • The motives behind the attack remain cloudy but the hackers were earlier indulged in cyber-attacking events to fund Pyongyang’s weapons program.
  • According to Adamitis, the group had started to conceal their activities a few months after the denuclearization deal failed.

What else do we know: In the past, some documents that have been used to manipulate victims into clicking includes a document impersonating the U.S. Treasury Department, a document about a nuclear deterrence conference, and an academic report on North Korea’s ballistic missile submarine capabilities.

In August, California-based threat intelligence company Anomali had revealed a network of malicious websites spoofing login portals of various U.S. government agencies and think tanks. Each of the targets, in one way or the other, was focused on North Korea’s nuclear efforts.

Cyware Publisher