CyberWire Daily - Focusing on Autumn Aperture. [Research Saturday]
Episode Date: September 28, 2019Researchers at Prevalion have been tracking a malware campaign making use of antiquated file formats and social engineering to target specific groups. Danny Adamitis and Elizabeth Wharton are coa...uthors of the report, and they join us to share their findings. The research can be found here: https://blog.prevailion.com/2019/09/autumn-aperture-report.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So what we were doing is we kind of proactively look for threat actors.
And one of the things that we traditionally kind of look for are some of these trojanized documents.
That's Danny Adamaitis.
He's director of intel analysis at Prevalient. The research we're discussing today is titled Autumn Aperture.
Threat campaign highlights new evasion technique using an antiquated file format.
His co-author, Elizabeth Wharton, will be joining the conversation as well.
We like to focus on this particular aspect because if you're able to catch the document,
you can effectively nullify any additional payloads that come after that.
So what we were doing is we were kind of doing a deep dive,
and we noticed that in some of these trojanized documents, we noticed that they had this unique Kodiak flash format file that was being flagged as malicious by some vendors, but not being flagged as malicious by many, which is kind of that really nice sweet spot we like to be in where we can find things as it's kind of an emerging trend or an emerging technique used by these threat actors.
as it's kind of an emerging trend or an emerging technique used by these threat actors,
by being able to identify that, we were able to kind of raise visibility and kind of bring this new technique to light.
And that's what we're really happy about with this particular report.
Now, in terms of who we think we're up against here, is this a known threat group?
Is this work following on work we've seen before? Where do we stand there?
So during our analysis of this campaign, we did see some overlap with a previous campaign that was reported as smokescreen by
another security group. So we noticed that there was some tranks and we tried to highlight this
to kind of note that it may be a continuation of that campaign. But other than that, we don't
really have any definitive attribution as to who could be behind those campaigns. All right, well, let's walk through it together. Sort of take me through step by step.
If I were to find myself being victimized by this, how would that have played out?
Unfortunately, there is a little bit of speculation as we don't have the entire picture.
But what we've been able to gather is that a victim would likely have been sent an email, and that email would likely contain a Bitly link.
We believe that based off the content of this, it would probably be socially engineered to
each victim.
So, for example, one of the documents we talk about was a speaker's note from a conference
on the Nuclear Deterrence Summit.
So it would likely be a follow-up email saying, thank you for attending our summit.
Based off your interest in some of the conference talks you attended, we wanted to send you some of the speaker's notes. That way you have this as reference material moving forward.
Please click on this link to download this particular document. Once you have clicked on
the Bitly link, it would then go to a compromised WordPress site where the victim would then
download a RAR file. The RAR file is
just kind of a way for them to kind of pack it, if you will, and kind of obfuscate it in order to
evade certain antivirus detection. But once you click on that, it would then kind of appear as a
Microsoft Word document, and you would be greeted with a little prompt saying, please enable macros.
This document was written in a different version of Microsoft Word. It may be incompatible
because he might be using a Mac or Windows or what have you. And then when you click on the
enable macros button, that's when the actual payload starts to form. And so, I mean, this is
certainly not uncommon, this tricking people to try to enable their macros. No, and really,
tricking people to try to enable their macros.
No, and really it's a classic approach.
That's Elizabeth Wharton.
She's VP of Strategy and Operations at Prevalent and co-author of the report. In this case, for a conference that had 350 attendees,
they had over 367, 361 clicks on the Bitly link within the first week.
So common and highly successful though.
So because they're using a Bitly link,
that enables you to go look at the statistics for who's clicking through that link?
Yes.
So many people may be familiar with Bitly as kind of an internal marketing tool, how you can kind of see, hey, who clicked on my tweet or who clicked on this
particular ad? And you can say this was being clicked from, you know, Twitter or from a Facebook
post or maybe even LinkedIn. And it kind of helps building some of those metrics, which makes
marketing life easier for everyone else. We believe that we're able to basically harness those same
metrics. And we've actually included screenshots of that in our report.
Suppose I am a member of this conference, or an attendee of this conference, and I get this file,
and I think to myself, all right, well, this is something I'm interested in. I'd like to read the
follow-up on this. If I open this file, it looks like the real file. I will find real reports from the conference, yes?
Yes, with a small nuance, if I may. So when you actually open the document at first,
you will typically see kind of an image that would basically say, please enable macros in
order to view the document. And then once you enable macros, then you will see the actual
speaker's notes. We've actually kind of been able to look at some of the document metadata,
and we believe that this was indeed written by one of the presenters at the conference.
But if we could, the one thing we really want to emphasize is that before you actually get to that,
you do get greeted with that macro screen saying, please enable macros. And that's kind of the point where we want everyone to kind of stop for a second and say, this doesn't look right.
Most people who kind of go about their normal business say, this doesn't look right. Most people who kind of go about their
normal business days, you don't really get macro documents anymore. It's not something that's being
observed. So if you receive that from particularly an email or from someone who is outside of your
organization, we would really like people to just kind of stop for a second and say,
do I really need to enable macros? Where did this come from? Why is this happening?
And if you can actually stop there before you hit the enable button, that then nullifies the rest of the attack. So yeah, it's a
sophisticated attack from that point forward, but easy enough to stop with the proper amount of
training, which was our goal is to raise awareness for companies and potential victims to, hey, pay
attention to this.
It's worth noting that this is a growing threat campaign.
Yeah, I mean, it strikes me that in your top 10 list of red flags, I would say someone asking you to enable your macros has got to be in the top five, right?
It should be.
Yeah.
And the thing is, it's proven to be highly effective. And the thing is,
it's very cost effective for the threat actor. You can go on GitHub and you can download a number
of projects and they will help you build these macros in under an hour or so. And it doesn't
actually cost this threat actor anything, where if they were to try to use something like an
unknown exploit or a zero day, that typically involves a lot of time, a lot of research,
a lot of money, and it requires a lot of effort. So we kind of see people going after this because
it's quite frankly the low hanging fruit. Well, so let's continue through our little
malicious journey here. If I've taken the bait, I've enabled my macros, I'm minding my own business
reading the document, what's going on behind the scenes on my computer now? So the first thing that happens is the macro tries to do what we're calling some
host-based enumeration. So what it will try to do is it will try to detect, is there any sort of
antivirus product that's currently being run on your machine? We kind of called out some of the
specific vendors that they were searching for. I believe it was Trend Micro. They were looking for
McAfee, Windows Defender,
some of these common antiviruses
that we believe are more likely to catch them.
And as we've seen,
they've actually added additional vendors in August,
and I believe one of the new ones was Sulfros.
So I believe that their list is currently expanding.
So they're trying to kind of do some of this enumeration
to make sure that if they do pull down that next payload,
it will then be secure and that they're not jeopardizing their toolset.
So they're evolving.
Right.
So it checks to see if I'm running antivirus.
If I am, does it bail out?
Yes.
It basically sees this execution at that point in time and it will just say, stop, we're
not going to try to infect this particular machine.
And we've seen workstations where there are organizations where one person might be running antivirus and the person sitting
three feet next to them may not be. So it's kind of one of those things where with this campaign
of hitting 360 some people, they're just making an effect that enough people won't be running
antivirus that they'll still be able to have an effective campaign. Now, at this point,
that they'll still be able to have an effective campaign.
Now, at this point, is it doing any reporting back that this is what I found?
So we have noticed a little bit of reporting back.
In the August campaign, there was a new function,
how it looked like they were trying to pull the application version.
So in this particular case, we believe the application is Microsoft Word,
and they're trying to say, is this a new version of Word?
Is this an old version of Word?
We still don't fully understand what they're doing with that information yet,
but it does appear to be kind of that heartbeat message that yes, it was enabled or no,
it was not enabled. So suppose I don't have antivirus running, where do we go next?
So the next thing it does is it tries to actually pull down that next payload.
So what it will do is it will start a schedule task, and it will try to reach out to another compromised WordPress site that we believe is hosting a malicious HTML document, or as we kind of call it in the document, an HTA.
So what that will do is that will basically then be converted into your normal executable that everyone is familiar with, and that we believe is the first stage payload. And what's the functionality of that payload? Unfortunately, we were not able
to obtain any payloads related to our documents. So this is still kind of a continuing investigation
on our side. But one of the other reasons we wanted to start publishing these IOCs is because
while we do not have perfect visibility, we believe that some of
the other partners in the antivirus industry may be able to find additional payloads based off this
research. And we're kind of hoping to kind of use this as a foundational report to maybe expand
upon later. I see. Now, one of the interesting things about this is that they're making use of
an old file format to hide what they're up to.
Describe to us what's going on there.
So traditionally, when people create a macro, a legitimate macro in Microsoft Excel or Microsoft Word,
that script will get saved off as a VBA file or a Visual Basic application.
What we've seen them do is they basically have taken that same functionality of the visual basic file,
and they've just kind of converted it to a Kodiak flash file format, or FPX.
And this is, again, quite simple to do, where you can even just right-click on it and rename it as a Kodiak flash file,
and then they've just inserted that into the Word document.
We suspect that this was being done because the Kodiak file format is not being scanned as regularly or
as tensely as some of the known VBA attacks. So we've seen VBA being used and abused by a number
of different actors, such as Emotet and just kind of everyone else. So by switching to this different
format, they were actually able to drop their detection rate by almost 66%, which would then
give them a higher chance of success
during your operation.
I mean, it's like nobody's looking for pagers these days
or criminals using Messenger to get their message across
rather than sending it, you know, you send a courier
rather than sending a text or other electronic.
And by taking it off the grid,
it permits the higher rate of
success. It's almost a security through obscurity. Yeah, I mean, I couldn't help thinking as I was
reading through this that the fact that they were using this Kodak FlashPix format, I wonder if some
of the antivirus people can just look for the fact that someone's using such an old file format at all,
even before looking inside what might be in there, like that raises a red flag.
Who's using a Kodak Flash Pix format?
You know, could that be an indicator at all itself, right?
Yeah.
Yeah. I mean, that's, and that was one of the goals of releasing the report with the information we had was to give businesses and teams that running headstart that here's some stuff that perhaps you're no longer thinking of, or you've assumed level setting within your company that of course everyone knows not to do this. Well, remind them,
you know, of course we're checking. Well, you may not be checking for this. So by doing that, you can cut down the rate, you know, success rate. Yeah. So where do we go from here? What
are your recommendations for folks to protect themselves from this? And then what are you
hoping the other members of the research community do with the
information you put out there? So our message to enterprise customers or anyone involved in this
is, again, it's a very simple of, if you see a document asking you to enable macros,
you should immediately stop and start contacting your IT or network support team.
The message that we were kind of trying to convey to some of the antivirus or cybersecurity vendors in there is that we're
now seeing this new technique, and we would kind of like to highlight this to make sure that it's
being given attention and that new signatures are being deployed to look for the visual basic
applications as well as this new file format, the FlashPix format. New old file format. Yes, this new old file format.
Right, right.
And again, just to kind of maybe jumpstart some investigations there
where maybe they have some indicators that this was being used in their network
and that you might want to go back and kind of look at those machines
to see if there was any additional payloads that were downloaded.
I mean, and you're looking at who they were targeting as well as going after the academic, the research, the nonprofit.
That's a sector that perhaps you don't realize how many conferences you go to a year.
And by going to that conference and you trust those conference materials that perhaps, again, just don't get lulled into that false sense of security.
Yeah, I mean, it's an interesting story here, the technical side, of course,
but then also the social engineering side of how they're going about targeting these folks who,
I suppose, they believe have information that could be of use to them.
And it's legitimate information. I mean, it's not as if they created a document that was in itself just garbage, so to speak.
Right. suspect, oh, well, this is, yeah, this is the paper from the conference I attended, or this is the certification or some other document that I'm not suspicious of the document
itself. Yeah, that itself doesn't raise any red flags. So while I'm enjoying that document,
it's already begun. It's buying time, really. It's already begun its activities behind the scenes.
Yes. So from a social engineering aspect, this was very well executed on their part the one
other thing we would like to highlight was as this campaign was employing the
Kodak flash picks format we decided to have a little bit of fun with the name
Kodak so that's why we obviously named this particular campaign on an aperture
but during the course of our research we actually recalled that one of the old Kodak campaigns, like one of their official
campaign slogans was that you click the button and we'll do the rest. So we threw
a little Easter egg in at the bottom where we said you enable the macros, the
malware will do the rest. There you go. Nice.
Our thanks to Danny Adamaitis and Elizabeth Wharton from Prevalion for joining us.
We'll have a link to their research on autumn aperture in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.