A hacking group with ties to North Korea has been targeting U.S. entities with malicious documents as it works to hide its tracks better, according to research from Maryland-based cybersecurity firm Prevailion.
The group has started placing its malware in obscure file formats, namely Kodak FlashPix (FPX) files, to evade antivirus detection products, according to Danny Adamitis, Prevailion’s director of intelligence analysis. The FPX files are embedded in Microsoft Word documents that are sent to victims, which are then launched via macro commands.
Since FPX file formats are less likely to be detected than standard Visual Basic for Applications (VBA) files, Adamitis believes the North Korean hackers are exploiting that gap to push their attacks past anti-virus detection.
Prevailion links — with moderate confidence — the action to a group known as Kimsuky or Smoke Screen. The attackers have been sending trojanized documents to victims that discuss nuclear deterrence, North Korea’s nuclear submarine program, and economic sanctions on the North Korean regime, Prevailion researchers said.
Although Kimsuky has targeted South Korean think tanks and defense experts in the past, Prevailion says the targets are U.S.-based in the latest campaign.
Adamitis said his team is not making assessments on what the hackers’ motives are, but the group started to conceal their activities a few months after President Donald Trump’s February summit with North Korea’s Kim Jong-un. That meeting ultimately ended in a failure to reach a denuclearization deal. Over the course of the stalled dialogue, U.S. Cyber Command has been publicly exposing malware that security researchers link with North Korean hackers who have, in the past, used cyberattacks to fund Pyongyang’s weapons program.
Just a few days after Cyber Command called out one group that has been linked with the North Korean government, the campaign sent out another wave of their trojanized documents, Adamitis said.
New stealth methods
The group’s method of hiding its attacks through the use of FPX files started as early as July, researchers told CyberScoop.
Long been used as an attack vector, macros allow users to set up a series of commands to be executed automatically inside Microsoft Word for tasks they have to do frequently. Weaponized macros can allow for further malware installation despite the fact that the document may appear normal to the user, Adamitis explained.
Some documents that have been used to dupe victims into clicking have included a document impersonating the U.S. Treasury Department, an academic report on North Korea’s ballistic missile submarine capabilities, and a document about a nuclear deterrence conference.
Attackers leverage the FPX files for a multitude of reasons. For instance, the hackers have made efforts to obtain usernames and passwords from by performing host-based enumeration using FPX file formats, according to Adamitis. The North Korean hackers have also run queries with Windows Management Instrumentations (WMIs) to ascertain whether victim machines are employing certain antivirus products — namely Malwarebytes, Windows Defender, McAfee, Sophos, or TrendMicro — before allowing their attack to continue.
Prevailion researchers say the campaign appears to be an extension of the 2018 BabyShark spearphishing campaign that targeted U.S. think tanks with spearphishing emails — and Adamitis said he suspects that the group is going to continue operating. AlienVault researchers have previously tied the BabyShark campaign to Kimsuky.
Last month, researchers from California-based threat intelligence company Anomali found a network of malicious websites that appear to be login portals for various government agencies and think tanks. Each of the targets was focused in some way on North Korea’s nuclear efforts.
Prevailion announced $10 million in Series A funding from AllegisCyber and DataTribe in July.