An Image Can Poison Just as Well as an Exploit Can

An emerging and increasingly sophisticated threat campaign is employing obscure file formats.

Research from business startup Prevailion
performed by Danny Adamitis and Elizabeth Wharton has found an emerging and increasingly sophisticated threat campaign employing obscure file formats. After detecting related trojanized documents -- all discussing nuclear deterrence as well as North Koreas nuclear submarine program and economic sanctions -- the people at Prevailion has dubbed the campaign Autumn Aperture. They did not say if they have also given it a cute emoji.
The new campaign is assessed by Prevailion experts to be an expansion of a coordinated effort to target US-based entities. They associate it with moderate confidence to the Kimsuky -- a.k.a. Smoke Screen -- threat actors and to them is a likely continuation of previously reported Baby Shark activity that targeted US national security think tanks.
The Prevailion research will be discussed at a conference on September 12.
Consistent with trends that have been previously seen, the threat actors continued to trojanize genuine documents in this campaign. Throughout it, when victims viewed the documents in an application, the malware would display a prompt to enable macros. Once macros were enabled, the document would then display the content -- in this case, a report on the construction of a new ballistic missile submarine (SSB) facility -- while surreptitiously installing additional malware on the victims computer.
One of the alternate documents used by the threat actors was previously referenced in a report by ESTSecurity, and its embedded domain was included in a report by the Agence Nationale de la Sécurité des Systèmes dInformation (ANNSI).
The threat actors have added new functionalities, such as an added feature to enumerate the host machine as well as experimenting with password protecting their documents.
Another feature called Windows Management Instrumentation (WMI) to determine if it was safe to obtain the next payload from the C&C server onto the host machine. The dropper would obtain a list of running processes and services, then compare that output to a list of known anti-virus products. The script would check for the presence of Malware Bytes, Windows Defender, Mcafee, Sophos and TrendMicro. Prevailion says that the last new feature of the script would attempt to obtain the applications version number -- in most cases this would likely be the version of Microsoft Word -- and then send the result to another actor-compromised domain, pirha[.]net/p/php?op=[version number].
To hide this new functionality, the threat actor embedded it in a Kodak FlashPix file format (FPX). This was for stealth, since the standard file format, VBA, had an initial detection rate of 23/57. But the FPX file format has a significantly lower detection rate, at 8/57 AV products, according to VirusTotal.
This technique followed a wider trend that Prevailion says it has been observing across multiple threat actor groups, in which they socially engineer victims with an image rather than relying on an exploit.
People being people, the future will show if this kind of technique furthers the attackers penetration rate.
— Larry Loeb has written for many of the last centurys major dead tree computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
An Image Can Poison Just as Well as an Exploit Can