Autumn Aperture: Don’t Enable Macros

According to Danny Adamitis and Elizabeth Wharton from Prevailion, spear phishing emails have been targeting the U.S. utilizing an obscure file format to beat antiviral software.  They call this campaign “Autumn Aperture”.  Attackers are sending word documents to recipients with content specialized to the victim’s recent activities.  This level of specialization results in a significantly high success rate.  Before the victim can read the document, however, they are asked to enable macros.  Choosing to do so, the victim can then read the word doc, but behind the scenes a malware is installing.

“It’s proving to be highly effective,” Adamitis said in a recent podcast with The CyberWire. “It’s very cost effective for a threat actor. You can go on GitHub and you can download a number of projects and they will help you build these macros in under an hour or so. And it doesn’t actually cost this threat actor anything.”

One way to distinguish the email is part of this phishing campaign- the attackers embedded the Visual Basic file in an old, obscure file format known as “Kodak FlashPix.” Unfortunately, most antivirus scanners will not pick it up as a threat.  The best prevention is to simply not enable macros. “If you can actually stop there before you hit the enable button, that nullifies the rest of the attack,” said Adamitis. Wharton went on to state that raising awareness of threats through ongoing security awareness training is key to an organization’s successful defense.

“Our message to enterprise customers or anyone involved in this is, again, very simple,” stated Adamitis, “if you see a document asking you to enable macros, you should immediately stop and start contacting your IT or network support team.”

For a full transcript of the podcast visit The CyberWire here