STOLEN PENCIL campaign, hackers target academic institutions.

Pierluigi Paganini December 09, 2018

STOLEN PENCIL campaign – North Korea-linked APT group has been targeting academic institutions since at least May of this year.

North Korea-linked threat actors are targeting academic institutions with spear phishing attacks. The phishing messages include a link to a website where a decoy document that attempts to trick users into installing a malicious Google Chrome extension. 
Many of the victims of this campaign, tracked as STOLEN PENCIL, were at multiple universities had expertise in biomedical engineering. 

Attackers ensure persistence using off-the-shelf tools, but according to NetScout they had poor OPSEC (i.e. Korean keyboards, open web browsers in Korean, English-to-Korean translators).

“The ultimate motivation behind the attacks is unclear, but the threat actors are adept at scavenging for credentials. Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension.” reads the analysis published by the experts.

“Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access.”

Threat actors used many basic phishing pages, the more sophisticated of them targeted academia display a benign PDF in an IFRAME and redirected users to a “Font Manager” extension from the Chrome Web Store.

The malicious extension loads JavaScript from a separate site, experts only found a file containing legitimate jQuery code, likely because the threat actors replaced the malicious code to make hard the analysis. The malicious extension allows the attacker to read data from all the websites accessed by the victim, a circumstance that suggests attackers were looking to steal browser cookies and passwords. 

Experts pointed out that the attackers did not use a malware to compromise the targets, the STOLEN PENCIL attackers employed RDP to access the compromised systems, researchers observed remote access occurring daily from 06:00 to 09:00 UTC (01:00-04:00 EST).

STOLEN PENCIL attackers also used a compromised or stolen certificate to sign several PE files used in the campaign. The researchers observed two signed sets of tools, dubbed MECHANICAL and GREASE. The former logs keystrokes and replaces an Ethereum wallet address with the attackers’ ones, the latter adds a Windows administrator account to the system and would also enable RDP.

The security researchers also discovered a ZIP archive containing tools for port scanning, memory and password dumping, and other hacking activities. The list of the tools include KPortScan, PsExec, batch files for enabling RDP, Procdump, Mimikatz, the Eternal suite of exploits, and Nirsoft tools such as Mail PassView, Network Password Recovery, Remote Desktop PassView, SniffPass, and WebBrowserPassView.

The STOLEN PENCIL campaign likely represents only a small set of the threat actor’s activity. The use of basic techniques, off-the-shelf programs, the aforementioned cryptojacker, and the use of Korean language suggests the actor is of North Korean origin, the security researchers say. 

“While we were able to gain insight into the threat actor’s TTPs (Tools, Techniques, & Procedures) behind STOLEN PENCIL, this is clearly just a small window into their activity. Their techniques are relatively basic, and much of their toolset consists of off-the-shelf programs and living off the land. ” NetScout concludes. 

“This, along with the presence of the cryptojacker, is typical of DPRK tradecraft.  Additionally, the operators’ poor OPSEC exposes their Korean language, in both viewed websites and keyboard selections.” 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – STOLEN PENCIL, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment