Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

STOLEN PENCIL campaign, hackers target academic institutions.

STOLEN PENCIL campaign – North Korea-linked APT group has been targeting academic institutions since at least May of this year. North Korea-linked threat actors are targeting academic institutions with spear phishing attacks. The phishing messages include a link to a website where a decoy document that attempts to trick users into installing a malicious Google Chrome […]

North Korea Lazarus APT

STOLEN PENCIL campaign – North Korea-linked APT group has been targeting academic institutions since at least May of this year.

North Korea-linked threat actors are targeting academic institutions with spear phishing attacks. The phishing messages include a link to a website where a decoy document that attempts to trick users into installing a malicious Google Chrome extension. 
Many of the victims of this campaign, tracked as STOLEN PENCIL, were at multiple universities had expertise in biomedical engineering. 

Attackers ensure persistence using off-the-shelf tools, but according to NetScout they had poor OPSEC (i.e. Korean keyboards, open web browsers in Korean, English-to-Korean translators).

“The ultimate motivation behind the attacks is unclear, but the threat actors are adept at scavenging for credentials. Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension.” reads the analysis published by the experts.

“Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access.”

Threat actors used many basic phishing pages, the more sophisticated of them targeted academia display a benign PDF in an IFRAME and redirected users to a “Font Manager” extension from the Chrome Web Store.

The malicious extension loads JavaScript from a separate site, experts only found a file containing legitimate jQuery code, likely because the threat actors replaced the malicious code to make hard the analysis. The malicious extension allows the attacker to read data from all the websites accessed by the victim, a circumstance that suggests attackers were looking to steal browser cookies and passwords. 

Experts pointed out that the attackers did not use a malware to compromise the targets, the STOLEN PENCIL attackers employed RDP to access the compromised systems, researchers observed remote access occurring daily from 06:00 to 09:00 UTC (01:00-04:00 EST).

STOLEN PENCIL attackers also used a compromised or stolen certificate to sign several PE files used in the campaign. The researchers observed two signed sets of tools, dubbed MECHANICAL and GREASE. The former logs keystrokes and replaces an Ethereum wallet address with the attackers’ ones, the latter adds a Windows administrator account to the system and would also enable RDP.

The security researchers also discovered a ZIP archive containing tools for port scanning, memory and password dumping, and other hacking activities. The list of the tools include KPortScan, PsExec, batch files for enabling RDP, Procdump, Mimikatz, the Eternal suite of exploits, and Nirsoft tools such as Mail PassView, Network Password Recovery, Remote Desktop PassView, SniffPass, and WebBrowserPassView.

The STOLEN PENCIL campaign likely represents only a small set of the threat actor’s activity. The use of basic techniques, off-the-shelf programs, the aforementioned cryptojacker, and the use of Korean language suggests the actor is of North Korean origin, the security researchers say. 

“While we were able to gain insight into the threat actor’s TTPs (Tools, Techniques, & Procedures) behind STOLEN PENCIL, this is clearly just a small window into their activity. Their techniques are relatively basic, and much of their toolset consists of off-the-shelf programs and living off the land. ” NetScout concludes. 

“This, along with the presence of the cryptojacker, is typical of DPRK tradecraft.  Additionally, the operators’ poor OPSEC exposes their Korean language, in both viewed websites and keyboard selections.” 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – STOLEN PENCIL, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]