A new campaign, potentially originating from North Korea, has been targeting academic institutions since at least May 2018, according to new research published by NETSCOUT.
Dubbed "STOLEN PENCIL," the spear phishing campaign delivers emails that send unsuspecting users to a website displaying a document that tricks them into installing a malicious Google Chrome extension so that the threat actors can then scavenge for credentials.
“In keeping with tried and true tactics, the operators behind the STOLEN PENCIL campaign used spear-phishing as their initial intrusion vector,” NETSCOUT wrote in a blog post. “First reported by Twitter user @MD0ugh, a target of STOLEN PENCIL receives a spear-phishing message containing a link to one of several domains controlled by the threat actor.”
Once the malicious actors gain a foothold, they use Microsoft’s Remote Desktop Protocol (RDP) for remote point-and-click access. According to NETSCOUT, this tactic indicates that a person – rather than a remote access Trojan (RAT) with a command-and-control site – is actually behind the keyboard interacting with a compromised system. The threat actors are then able to use an RDP to maintain persistence.
Additionally, the attackers rely on built-in Windows administrator tools and other commercial software to sustain the attack. Once they have exploited the victim’s system, they leverage multiple off-the-shelf sources, such as process memory, web browsers, network sniffing and key logging, to harvest passwords. Oddly, the researchers have not yet seen any evidence of data theft, which has left them unable to determine the motivation of the attackers; however, many of the victims were experts in biomedical engineering, according to NETSCOUT.
“Using a combination of stolen passwords, backdoor accounts, and a forced-open RDP service, the threat actors are likely to retain a foothold on a compromised system,” the research team wrote.
While the tactics and procedures of the threat actors are quite basic and they rely on off-the-shelf tools, they spent a lot of time doing reconnaissance. In addition, the operators also demonstrated poor OPSEC and exposed their Korean language in both viewed websites and keyboard selections.