North Korea-linked threat actors are targeting academic institutions with spear phishing attacks. The phishing messages include a link to a website where a decoy document that attempts to trick users into installing a malicious Google Chrome extension.
Many of the victims of this campaign, tracked as STOLEN PENCIL, were at multiple universities had expertise in biomedical engineering.
Attackers ensure persistence using off-the-shelf tools, but according to NetScout they had poor OPSEC (i.e. Korean keyboards, open web browsers in Korean, English-to-Korean translators).
“The ultimate motivation behind the attacks is unclear, but the threat actors are adept at scavenging for credentials. Targets are sent spear phishing e-mails that lead them to a
“Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access.”
Threat actors used many basic phishing pages, the more sophisticated of them targeted academia display a benign PDF in an IFRAME and redirected users to a “Font Manager” extension from the Chrome Web Store.
Experts pointed out that the attackers did not use a malware to compromise the targets, the STOLEN PENCIL attackers employed RDP to access the compromised systems, researchers observed remote access occurring daily from 06:00 to 09:00 UTC (01:00-04:00 EST).
STOLEN PENCIL attackers also used a compromised or stolen certificate to sign several PE files used in the campaign. The researchers observed two signed sets of tools, dubbed MECHANICAL and GREASE. The former logs keystrokes and replaces an Ethereum wallet address with the attackers’ ones, the latter adds a Windows administrator account to the system and would also enable RDP.
The security researchers also discovered a ZIP archive containing tools for port scanning, memory and password dumping, and other hacking activities. The list of the tools include KPortScan, PsExec, batch files for enabling RDP, Procdump, Mimikatz, the Eternal suite of exploits, and Nirsoft tools such as Mail PassView, Network Password Recovery, Remote Desktop PassView, SniffPass, and WebBrowserPassView.
The STOLEN PENCIL campaign likely represents only a small set of the threat actor’s activity. The use of basic techniques, off-the-shelf programs, the aforementioned cryptojacker, and the use of Korean language suggests the actor is of North Korean origin, the security researchers say.
“While we were able to gain insight into the threat actor’s
“This, along with the presence of the
(Security Affairs – STOLEN PENCIL, hacking)