Focusing on Autumn Aperture.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a word from our sponsor, Juniper Networks. Join Juniper at NXTWORK 2019 to learn, share, and collaborate with game changers from companies across the networking industry. This year's event features keynotes from Juniper executives, as well as special guest speaker Earvin "Magic" Johnson, along with over forty breakouts and master classes led by distinguished engineers, as well as various opportunities for certification testing and training. Visit juniper.net/nxtwork for more information. That's juniper.net/nxtwork. And we thank Juniper for sponsoring our show.
Dave Bittner: [00:01:09] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Danny Adamitis: [00:01:49] So, what we were doing is we kind of proactively look for threat actors, and one of the things that we traditionally kind of look for are some of these Trojanized documents.
Dave Bittner: [00:01:59] That's Danny Adamitis. He's Director of Intel Analysis at Prevailion. The research we're discussing today is titled, "Autumn Aperture: Threat Campaign Highlights New Evasion Technique using an Antiquated File Format." His co-author, Elizabeth Wharton, will be joining the conversation as well.
Danny Adamitis: [00:02:15] We like to focus on this particular aspect, because if you're able to catch the document, you can effectively nullify any additional payloads that come after that. So, what we were doing is we were kind of doing a deep dive, and we noticed that – in some of these Trojanized documents – we noticed that they had this unique Kodak Flash Format file that was being flagged as malicious by some vendors, but not being flagged as much as by many, which is kind of that really nice, sweet spot we like to be in, where we can find things as it's kind of an emerging trend or an emerging technique used by these three actors. By being able to identify that, we were able to kind of raise visibility and kind of bring this new technique to light. And that's what we're really happy about with this particular report.
Dave Bittner: [00:02:56] Now, in terms of who we think we're up against here – is this a known threat group? Is this work following on work we've seen before? Where do we stand there?
Danny Adamitis: [00:03:07] So, during our analysis of this campaign, we did see some overlap with a previous campaign that was reported as "Smoke Screen" by a another security group. So we noticed that there were some trends and we tried to highlight this to kind of note there may be a continuation of their campaign. But other than that, we don't really have any definitive attribution as to who could be behind those campaigns.
Dave Bittner: [00:03:30] All right. Well, let's walk through it together. Sort of take me through step-by-step. If I were to find myself being victimized by this, how would that have played out?
Danny Adamitis: [00:03:40] Unfortunately, there is a little bit of speculation as we don't have the entire picture, but what we've been able to gather is that a victim would likely have been sent an email, and that email would likely contain a Bitly link. We believe that based off the content of this, it would probably be socially engineered to each victim.
Danny Adamitis: [00:03:58] So, for example, one of the documents we talk about was a speaker's note from a conference on the Nuclear Deterrence summit. So it would likely be a follow up email saying, "Thank you for attending our summit. Based off your interest in some of the conference talks you attended, we wanted to send you some of the speaker's notes, so that way you have this as reference material moving forward. Please click on this link to download this particular document."
Danny Adamitis: [00:04:20] Once you have clicked on the Bitly link, it would then go to a compromised WordPress site where the victim within download a RAR file. The RAR file is just kind of a way for them to kind of pack it, if you will, and kind of obfuscate it in order to evade certain antivirus detection. But once you click on that, it would then kind of appear as a Microsoft Word document and you would be greeted with a little prompt saying, "Please enable macros. This document was written in a different version of Microsoft Word and may be incompatible because you might be using a Mac or a Windows or what have you." And then when you click on the Enable Macro button, that's when the actual payload starts to form.
Dave Bittner: [00:04:59] Hmm. And so, I mean, this is certainly not uncommon, this tricking people to try to enable their macros.
Elizabeth Wharton: [00:05:07] No. And really, it's a classic approach.
Dave Bittner: [00:05:12] That's Elizabeth Wharton. She's VP of Strategy and Operations at Prevailion and co-author of the report.
Elizabeth Wharton: [00:05:18] In this case, it's for a conference that had three hundred and fifty attendees. They had over three hundred and sixty-one clicks on the Bitly link within the first week. So, common and highly successful.
Dave Bittner: [00:05:35] So, because they're using a Bitly link, that enables you to go look at the statistics for who's clicking through that link.
Danny Adamitis: [00:05:44] Yes. So, many people may be familiar with Bitly as kind of an internal marketing tool. How you can kind of see, hey, who clicked on my tweet or who clicked on this particular ad? And you can say, this was being clicked from, you know, Twitter, or from a Facebook post, or maybe even LinkedIn. And it kind of helps building some of those metrics books makes marketing life easier for everyone else. We believe that we're able to basically harness those same metrics, and we've actually included screenshots of that in our report.
Dave Bittner: [00:06:11] Suppose I am a member of this conference or an attendee of this conference and I get this file and I think to myself, all right, well, this is something I'm interested in – I'd like to read the follow up on this. If I open this file, it looks like the real file. I will find real reports from the conference, yes?
Danny Adamitis: [00:06:31] Yes, with a small nuance, if I may. So, when you actually open the document at first, you will typically see kind of an image that would basically say, "please enable macros in order to view the document." And then once you enable macros, then you will see the actual speaker's notes. We've actually kind of been able to look at some of the document metadata, and we believe that this was indeed written by one of the presenters at the conference. If we could, the one thing we really want to emphasize is that before you actually get to that, you do get greeted with that macro screen saying "please enable macros." And that's kind of the point where we want everyone to kind of stop for a second and say, this doesn't look right. Most people who kind of go about their normal business days, you don't really get macro documents anymore.
Dave Bittner: [00:07:12] Right.
Danny Adamitis: [00:07:12] It's not something that's being observed. So if you receive that from particularly an email or from someone who is outside of your organization, we would really like people to just kind of stop for a second and say, do I really need to enable macros? Where did this come from? Why is this happening? And if you can actually stop there before you hit the enable button, that nullifies the rest of the attack.
Elizabeth Wharton: [00:07:32] So yeah, it's a sophisticated attack from that point forward, but easy enough to stop with the proper amount of training, which was – our goal is to raise awareness for companies and potential victims to, hey, pay attention to this. It's worth noting that this is a growing threat campaign.
Dave Bittner: [00:07:53] Yeah, I mean, it strikes me that in your top ten list of red flags, I would say someone asking you to enable your macros has got to be in the top five, right? (Laughs).
Elizabeth Wharton: [00:08:03] It should be.
Dave Bittner: [00:08:06] Yeah.
Danny Adamitis: [00:08:06] And the thing is, it's proving to be highly effective. And the thing is, it's very cost effective for a threat actor. You can go on GitHub and you can download a number of projects and they will help you build these macros in under an hour or so. And it doesn't actually cost this threat actor anything. Where if they were to try to use something like an unknown exploit or a zero-day, that typically involves a lot of time, a lot of research, a lot of money – it requires a lot of effort. So we kind of see people going after this because it's, quite frankly, the low-hanging fruit.
Dave Bittner: [00:08:35] Well, so let's continue through our little malicious journey here. If I've taken the bait, I've enabled my macros, I'm minding my own business, reading the document, what's going on behind the scenes on my computer now?
Danny Adamitis: [00:08:49] So the first thing that happens is the macro tries to do what we're calling some host-based enumeration. So what it will try to do is it will try to detect, is there any sort of antivirus product that's currently being run on your machine? We kind of called out some of the specific vendors that they were searching for – I believe it was Trend Micro, they were looking for McAfee, Windows Defender – some of these common antiviruses that we believe are more likely to catch them. And as we've seen, they've actually added additional vendors in August, and I believe one of the new ones was Sophos. So I believe that their list is currently expanding. So they're trying to kind of do some of this enumeration to make sure that if they do pull down that next payload, it will then be secure and that they're not jeopardizing their toolset.
Elizabeth Wharton: [00:09:32] So they're evolving.
Dave Bittner: [00:09:33] Right. So it checks to see if I'm running antivirus. If I am, does it bail out?
Danny Adamitis: [00:09:40] Yes. It basically ceases execution at that point in time, and it'll just say stop, we're not going to try to infect this particular machine. And we've seen, you know, workstations where there are organizations where one person might be running antivirus and the person sitting three feet next to them may not be. So it's kind of one of those things where, with this campaign of hitting three hundred and sixty-some people, they're just banking on the fact that enough people won't be running antivirus – that they'll still be able to have an effective campaign.
Dave Bittner: [00:10:07] Now, does it – at this point, is it doing any reporting back that this is what I found?
Danny Adamitis: [00:10:12] So we have noticed a little bit of reporting back. In the August campaign, there was a new function, how it looked like they were trying to pull the application version. So in this particular case, we believe the application is Microsoft Word. And you're trying to say, is this a new version of Word? Is this an old version of Word? We still don't fully understand what they're doing with that information yet, but there does appear to be kind of that heartbeat message that, yes, it was enabled, or no, it was not enabled.
Dave Bittner: [00:10:39] So, suppose I don't have antivirus running. Where do we go next?
Danny Adamitis: [00:10:44] So, the next thing it does is it tries to actually pull down that next payload. So what it will do is it will start a scheduled task and it will try to reach out to another compromised WordPress site that we believe is hosting a malicious HTML document – or as we kind of call it in the document, an HTA. So what that will do is that will basically then be converted into your normal executable that everyone is familiar with and that we believe is the first-stage payload.
Dave Bittner: [00:11:11] And what's the functionality of that payload?
Danny Adamitis: [00:11:13] Unfortunately, we were not able to obtain any payloads related to our documents. So, we – this is still a kind of a continuing investigation on our side, but one of the other reasons we wanted to start publishing these IoCs is because, while we do not have perfect visibility, we believe that some of the other partners in the antivirus industry may be able to find additional payloads based off this research. And we're kind of hoping to kind of use this as a foundational report to maybe expand upon later.
Dave Bittner: [00:11:40] I see. Now, one of the interesting things about this is that they're making use of an old file format to hide what they're up to. Describe to us what's going on there.
Danny Adamitis: [00:11:52] So, traditionally, when people create a macro – a legitimate macro in Microsoft Excel or Microsoft Word – that script will get saved off as a VBA file, or a Visual Basic Application. What we've seen them do is they basically have taken that same functionality of the Visual Basic file and they've just kind of converted it to a Kodak Flash File format, or FPX. And this is, again, quite simple to do, where you can even just right click on it and rename it as a Kodak Flash File, and then they've just inserted that into the Word document.
Danny Adamitis: [00:12:22] We suspect that this was being done because the Kodak file format is not being scanned as regularly or as tensely as some of the known VB attacks. So where you're seeing VBA being used and abused by a number of different actors such as Emotet and just kind of everyone else. So by switching to this different format, they were actually able to drop their detection rate by almost sixty-six percent, which would then give them a higher chance of success during their operation.
Elizabeth Wharton: [00:12:52] I mean, it's like nobody's looking for pagers these days...
Dave Bittner: [00:12:54] Right.
Elizabeth Wharton: [00:12:55] ...Or criminals using a messenger to get their message across rather than sending it – you know, you send a courier rather than sending a text or other electronic. And by taking it off the grid, it permits the higher rate of success.
Danny Adamitis: [00:13:12] It's almost security through obscurity.
Dave Bittner: [00:13:15] Yeah, I mean, it's – I couldn't help thinking as I was reading through this that the fact that they are using this Kodak FlashPix Format – I wonder if some of the antivirus people can just look for the fact that someone's using such an old file format at all, even before looking inside what might be in there – like, that raises a red flag. Who's using a Kodak FlashPix Format? You know, could that be an indicator at all itself, right?
Elizabeth Wharton: [00:13:44] Yeah. I mean, that's – and that was one of the goals of releasing the report with the information we had, was to give businesses and teams that running head start – that here's some stuff that perhaps you're no longer thinking of or you've assumed level setting within your company that, of course, everyone knows not to do this. Well, remind them. You know, of course we're checking. Well, you may not be checking for this. So by doing that, you can cut down that rate – the success rate.
Dave Bittner: [00:14:19] Yeah. So, where do we go from here? What are your recommendations for folks to protect themselves from this? And then what are you hoping the other members of the research community do with the information you put out there?
Danny Adamitis: [00:14:32] So, our message to enterprise customers or anyone involved in this is, again, very simple – if you see a document asking you to enable macros, you should immediately stop and start contacting your IT or network support team. The message that we are kind of trying to convey to some of the antivirus or cybersecurity vendors in there is that we're now seeing this new technique and we would kind of like to highlight this to make sure that it's being given attention and that new signatures are being deployed to look for the Visual Basic Applications, as well as this new file format, the FlashPix format.
Dave Bittner: [00:15:07] New old file format. (Laughter)
Danny Adamitis: [00:15:08] (Laughter) Yes, this new-old file format. And again, it's just to kind of maybe jumpstart some investigations there, where maybe they have some indicators that this was being used in their network and that you might want to go back and kind of look at those machines to see if there was any additional payloads that were downloaded.
Elizabeth Wharton: [00:15:23] I mean, and you're looking at who they were targeting as well, as going after the academic, the research, the nonprofit – that's a sector that perhaps you don't realize how many conferences you go to a year, and by going to that conference and you trust those conference materials, that perhaps, again, just don't get lulled into that false sense of security.
Dave Bittner: [00:15:50] Mm-hmm. Yeah, I mean, it's an interesting story here. The technical side, of course, but then also the social engineering side of how they're going about targeting these folks who I suppose they believe have information that could be of use to them.
Elizabeth Wharton: [00:16:04] And it's legitimate information. I mean, it's not as if they created a document that was in itself just garbage, so to speak...
Dave Bittner: [00:16:14] Right.
Elizabeth Wharton: [00:16:15] ...It's the actual research reports, papers. And taking that aspect of, I mean, who's going to suspect, oh, well, this is – yeah, this is the paper from the conference I attended. Or this is the certification or some other document that I'm not suspicious of the document itself.
Dave Bittner: [00:16:36] Yeah, that itself doesn't raise any red flags, so while I'm enjoying that document, it's already begun. It's buying time, really. It's already begun its activities behind the scenes.
Danny Adamitis: [00:16:47] Yes. So from a social engineering aspect, this was very well executed on their part. The one other thing we would like to highlight was as this campaign was employing the Kodak FlashPix Format, we decided to have a little bit fun with the name Kodak. So that's why we obviously named this particular campaign Autumn Aperture. But during the course of our research, we actually recalled that one of the old Kodak campaigns, like one of their official campaign slogans, was that you click the button and then we'll do the rest. So we threw a little Easter egg in at the bottom where we said, you enable the macros, the malware will do the rest.
Dave Bittner: [00:17:21] There you go. Nice. (Laughs)
Dave Bittner: [00:17:27] Our thanks to Danny Adamitis and Elizabeth Wharton from Prevailion for joining us. We'll have a link to their research on Autumn Aperture in the show notes.
Dave Bittner: [00:17:37] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:17:46] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:17:54] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.