There is a new advanced persistent threat (APT) in the global village and it’s called ‘Stolen Pencil’, because it apparently targets academic institutions.
“We say ‘new’ threat,” says Bryan Hamman, territory manager for sub-Saharan Africa at NETSCOUT Arbor, which specialises in advanced distributed denial of service (DDoS) protection solutions, “but it actually seems to have been around for about the latter half of last year. This is according to NETSCOUT Arbor’s Security Engineering and Response Team (ASERT), which uncovered the APT campaign and can assist in protecting against it.”
Hamman clarifies that according to ASERT, the APT campaign possibly originates from North Korea and has been targeting academic institutions since May 2018. The motivation behind the attacks is unclear but the threat actors have been very good at illicitly getting hold of credentials.
“Targets are sent spear phishing e-mails that lead them to a website displaying a lure document and are immediately prompted to install a malicious Google Chrome extension,” he explains. “Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Microsoft’s Remote Desktop Protocol (RDP) to maintain access. These malicious Chrome extensions – which have since been removed from the Chrome Web Store – declare permissions to run on every URL in the browser.”
Some of the domains used for phishing, as identified by ASERT, include the following (with other sub-domains also identified):
The key findings of ASERT’s research include the following points:
- Many of the victims, across multiple universities, had expertise in biomedical engineering – the application of engineering principles and design concepts to medicine and biology for healthcare purposes. This suggests a possible motivation for the attackers.
- The hackers’ poor operations security led to investigators finding open web browsers in Korean, English-to-Korean translators open, and keyboards switched to Korean language settings.
- Once gaining a foothold on a user’s system, the threat actors behind STOLEN PENCIL use RDP for remote point-and-click access. This means a human is behind the keyboard interacting with a compromised system, and not using a RAT (Remote Access Trojan) with a command-and-control site acting as a proxy between the threat actor and the compromised system.
- Post-exploitation persistence is maintained by harvesting passwords from a wide variety of sources such as process memory, web browsers, network sniffing, and keyloggers.
- There has been no evidence of data theft.
ASERT’s recommendations to security teams are as follows:
- Advise users not to click on any suspicious links in an e-mail, both at work and at home, even if they are from people they trust.
- Recommend that they be wary of any prompts to install browser extensions, even if they are hosted on an official extension site.
- Watch for e-mails containing links to the phishing domains.
- Limit RDP access with a firewall to only those systems that require it. Monitor for suspicious RDP connections where there should be none.
- Look for suspicious, newly created administrative accounts.
“Because it appears that no data has been stolen, this would indicate that the goal of the operation is to maintain persistent access. The ASERT team assessed with high confidence that the goal was to steal browser cookies and passwords. E-mail forwarding was also observed on some compromised accounts.
Traditionally, North Korean hackers have been known for stealing money to finance the rule of Kim Jong Un, but this recent ASERT research shows that the stakes may be changing and that North Korea may now also be targeting universities in its latest espionage campaign. To this end, it’s important to know that NETSCOUT Arbor APS enterprise security products detect and block activity related to STOLEN PENCIL using our ATLAS Intelligence Feed,” concludes Hamman.