Threat Watch

North Korean Group Using Obscure File Format to Evade Anti-Virus

North Korea (Kimsuky): The North Korean-linked hacking group Kimsuky, or Smoke Screen, has been linked to a recent campaign that is targeting US entities. The group has been active for some time, previously targeting South Korean think tanks. The group is now using spear phishing to send trojanized documents to US targets, primarily initiating a new wave when major events happen between the US and North Korea. The documents range in style, pretending to be information such as nuclear deterrence, information on North Korea’s nuclear submarine program and economic sanctions. The type of document changes depending on the relationship that the North and the US have at the time, and the event the group is trying to leverage in their attack. For example, during the February summit with North Korea and the US, talks about denuclearization in North Korea failed, and shortly following, a new wave of emails was seen containing the malicious documents that said to have information about North Korean denuclearization. By timing their attack to this event, it made the phishing emails harder to detect by their targets, because the information in them seemed relevant. To increase their infection rate and avoid being detected, the group has also started to send the documents in obscure file formats. Primarily using Kodak FlashPix (FPX) files it allows the group to reduce their chance of being caught by almost half because they are less likely to be picked up by anti-virus software. Kimsuky is utilizing the FPX files for various reasons, decrease rate of detection being only one. When the group is trying to steal credentials, they can perform host-based enumeration using FPX file formats. They also run Windows Management Instrumentation queries to determine if the target is using anti-virus and type before allowing the attack to move forward. Macros have been a longtime friend of different attackers and are still being used by actors to this day. 


Kimsuky has begun to make their attacks more stealthy, trying to evade detection. With only sending out a wave of attacks when something major happens, they are trying to catch their victims off guard. This group is an example of how some nation-state actors are methodic in their attacks, thinking about how they can infect certain accounts and not just blasting out generic phishing emails to a mass amount of people to compromise anyone. Because they wait for an opportunity to begin their attacks, they are likely targeting certain people for certain reasons.