loader gif

North Korean hackers’ new Stolen Pencil campaign targets universities

North Korean hackers’ new Stolen Pencil campaign targets universities
  • The cyberespionage campaign targeted academic institutions and has been operational since May 2018.
  • The main goal of the cybercriminals behind this attack is to steal credentials.

A new cyberespionage campaign has been discovered that involves North Korea-backed hackers using a Google Chrome extension to infect targeted systems. The new campaign dubbed ‘Stolen Pencil’, aims to steal passwords and users’ cookies.

According to a report published by ASERT team at Netscout, the campaign targeted academic institutions and has been operational since May 2018. The main goal of the cybercriminals behind this attack appears to be stealing credentials.

Modus Operandi

Targeted users were sent spear-phishing emails that came attached with a link that redirected victims to malicious websites. Once the user clicked on these malicious links, bogus PDF document opens, which prompts the victim to install a Chrome extension named Auto Font Manager.

Netscout researchers explained that the Chrome extension has the ability to steal both cookies and site passwords. In order to maintain persistence, the threat actors used built-in Windows administration tools and commercial off-the-shelf software. The attackers hacked into universities’ networks via Remote Desktop Protocol (RDP) connections, instead of using a backdoor or RAT.

"We've identified three universities based in the United States and one non-profit institution based in Asia [that] we're certain to have been targeted," Netscout researchers told ZDNet.

“A large number of the victims, across multiple universities, had expertise in biomedical engineering, possibly suggesting a motivation for the attackers targeting,”Netscout researchers said in a report.

Key points

Once the threat actors gains persistence over systems, they can perform a wide range of malicious activities such as harvesting the targeted system’s process memory, web browsers, and installing keyloggers. However, researchers found no evidence of data theft, which raises concerns over the cybercriminals’ motives.

"Poor OPSEC led to users finding open web browsers in Korean, English-to-Korean translators open, and keyboards switched to Korean language settings," researchers said.

To remain safe from such attacks, users should not click on any suspicious links in an email. Users must be cautious of any prompt asked during the installation of browser extensions. Limit the RDP access with a firewall to avoid access by any malicious entity.

loader gif