A threat group possibly originating from North Korea has been targeting academic institutions since at least May of this year, NetScout’s security researchers reveal.
The attackers use spear-phishing emails that link to a website where a lure document attempts to trick users into installing a malicious Google Chrome extension. Following initial compromise, off-the-shelf tools are used to ensure persistence.
The campaign likely hit other targets as well, though NetScout says that only those domains targeting academia were intended to install a malicious Chrome extension. Many of the intended victims, across multiple universities, had expertise in biomedical engineering.
The actors behind the attack, however, displayed poor OPSEC, which allowed the researchers to find open web browsers in Korean, English-to-Korean translators, and keyboards switched to Korean.
Built-in Windows administration tools and commercial off-the-shelf programs were employed to “live off the land”, and Remote Desktop Protocol (RDP) was also used to ensure continuous access. However, because there is no evidence of data theft, the motivation behind the attacks is largely uncertain.
The campaign, which NetScout refers to as STOLEN PENCIL, employed many basic phishing pages, the researchers say. The more sophisticated phishing pages that targeted academia displayed a benign PDF in an IFRAME and redirected users to a “Font Manager” extension from the Chrome Web Store.
The extension loads JavaScript from a separate site, but the content of the file was found to contain legitimate jQuery code, likely because the attacker replaced the malicious code to hinder analysis. The malicious extension would read data from all of the accessed websites, suggesting that the attackers were looking to steal browser cookies and passwords.
Instead of malware, the STOLEN PENCIL actors employed RDP to access the compromised machines, with the remote access occurring daily from 06:00 to 09:00 UTC (01:00-04:00 EST).
STOLEN PENCIL also used two signed sets of tools, namely MECHANICAL and GREASE. The former logs keystrokes and replaces an Ethereum wallet address with the attackers’, while the latter adds a Windows administrator account to the system and would also enable RDP.
The security researchers also discovered an archive containing tools for port scanning, memory and password dumping, and more. These include KPortScan, PsExec, batch files for enabling RDP, Procdump, Mimikatz, the Eternal suite of exploits, and Nirsoft tools such as Mail PassView, Network Password Recovery, Remote Desktop PassView, SniffPass, and WebBrowserPassView.
“Clearly this toolset can be used to scavenge passwords stored in a wide array of locations. Using a combination of stolen passwords, backdoor accounts, and a forced-open RDP service, the threat actors are likely to retain a foothold on a compromised system,” NetScout notes.
The STOLEN PENCIL campaign likely represents only a small set of the threat actor’s activity. The use of basic techniques, off-the-shelf programs, the aforementioned cryptojacker, and the use of Korean language suggests the actor is of North Korean origin, the security researchers say.
“They spent significant time and resources doing reconnaissance on their targets, as evidenced by the comments left on the Chrome extension page. Their main goal appears to be gaining access to compromised accounts and systems via stolen credentials and holding on to it. We were not able to find any evidence of data theft – their motives for targeting academia remains murky,” NetScout concludes.
Related: U.S. Links North Korean Government to ATM Hacks
Related: Researchers Link New NOKKI Malware to North Korean Actor