North Korean-Backed Group Suspected of Stolen Pencil Campaign

  /     /     /  
Publicated : 23/11/2024   Category : security


North Korean-Backed Group Suspected of Stolen Pencil Campaign


The ASERT Team at NetScout has published a report that details a campaign dubbed Stolen Pencil, which targeted universities and other academic groups. A North Korean-backed group is suspected of starting it.



A new campaign, possibly with backing from North Korea, is targeting universities and other academic institutions using spear phishing techniques, as well as a malicious Google Chrome extension, to gain a foothold inside various networks, according to new research released this week.
In a blog post published December 5
, the ASERT Team at NetScout offers details about the campaign, which it calls Stolen Pencil. It not clear what the motivation is behind this advanced persistent threat (APT), but institutions in the US and South Korea have been targeted.
Weve identified four universities based in the United States and one non-profit institution based in Asia were certain have been targeted, ASERT Team researchers told Security Now in an email. These might be just the tip of the iceberg. There are no indications of data theft, which is why the motivation behind the campaign remains unknown.
(Source:
Pixabay
)
The report did note that many of the victims had backgrounds in biomedical engineering and research.
The group behind Stolen Pencil appears to use spear phishing techniques to lure victims to a specific website that contains a PDF document, which houses a malicious Google Chrome extension. If a person clicks the link and downloads the extension, the attackers can gain access to the network.
Once inside, the attackers use living off the land, tools to spread through the network, including Microsofts Remote Desktop Protocol (RDP), as opposed to a remote access Trojan or RAT. After establishing a presence, the group continues to look for more passwords and access, as well as deploying malware, such as keyloggers.
As the group moved around the network, the ASERT researchers found that the threat actors used two specific tools. The first, called MECHANICAL, is used for cryptojacking, specifically changing the wallet addresses of Ethereum cryptocurrency. The other tool is GREASE, which helps circumvent firewall rules.
Researchers found that compromised or stolen certificates were used to sign files where these tool sets were used.
Certificate used to sign MECHANICAL/GREASE

(Source:
NetScout
)
In their email, the researchers noted:

The tools were almost certainly custom written. MECHANICAL is a keylogger, but also hijacks Ethereum transactions and sends the cryptocurrency to a specific wallet. GREASE adds an administrative account with a specific password. It’s possible they reused code snippets found online, but we havent found any overlapping binary or source code signatures in anything publicly available.

The use of the cryptojacker, along with other evidence, such as English-to-Korean translator and an attacker changing someones keyboard to Korean, points to North Korea as the sponsor of such a campaign. However, the researchers noted that a specific link could not be established.
While we dont have any indication it is linked to a publicly reported DPRK [North Korea] actor group, the TTPs [Tools, Techniques, and Procedures] are similar to other campaigns and activity (i.e. the open source tools, the target types, the credential theft, the Ethereum cryptojacking, Korean keyboard/language settings, etc), the researchers wrote in their email.
Earlier this year, Kaspersky Lab published a report that found phishing attacks against universities and school have been on the increase. The company found over 130 institutions in 16 different countries were targeted by these various phishing campaigns. (See
Multiple Phishing Attacks Target Top Universities
.)
Related posts:
Symantec Offers New Details of North Korean-Backed FASTCash Attack
Sophos: Living off the Land Is the Law of the Land
Cybercriminal Underground Will Continue to Consolidate in 2019
DoJ Charges 10 Chinese Nationals in Elaborate Cyberespionage Case
— Scott Ferguson is the managing editor of Light Reading and the editor of
Security Now
. Follow him on Twitter
@sferguson_LR
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
North Korean-Backed Group Suspected of Stolen Pencil Campaign