Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

12/6/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

North Korean-Backed Group Suspected of 'Stolen Pencil' Campaign

The ASERT Team at NetScout has published a report that details a campaign dubbed "Stolen Pencil," which targeted universities and other academic groups. A North Korean-backed group is suspected of starting it.

A new campaign, possibly with backing from North Korea, is targeting universities and other academic institutions using spear phishing techniques, as well as a malicious Google Chrome extension, to gain a foothold inside various networks, according to new research released this week.

In a blog post published December 5, the ASERT Team at NetScout offers details about the campaign, which it calls "Stolen Pencil." It not clear what the motivation is behind this advanced persistent threat (APT), but institutions in the US and South Korea have been targeted.

"We've identified four universities based in the United States and one non-profit institution based in Asia we're certain have been targeted," ASERT Team researchers told Security Now in an email. "These might be just the tip of the iceberg. There are no indications of data theft, which is why the motivation behind the campaign remains unknown."

The report did note that many of the victims had backgrounds in biomedical engineering and research.

The group behind Stolen Pencil appears to use spear phishing techniques to lure victims to a specific website that contains a PDF document, which houses a malicious Google Chrome extension. If a person clicks the link and downloads the extension, the attackers can gain access to the network.

Once inside, the attackers use "living off the land," tools to spread through the network, including Microsoft's Remote Desktop Protocol (RDP), as opposed to a remote access Trojan or RAT. After establishing a presence, the group continues to look for more passwords and access, as well as deploying malware, such as keyloggers.

As the group moved around the network, the ASERT researchers found that the threat actors used two specific tools. The first, called MECHANICAL, is used for cryptojacking, specifically changing the wallet addresses of Ethereum cryptocurrency. The other tool is GREASE, which helps circumvent firewall rules.

Researchers found that compromised or stolen certificates were used to sign files where these tool sets were used.

In their email, the researchers noted:

The tools were almost certainly custom written. MECHANICAL is a keylogger, but also hijacks Ethereum transactions and sends the cryptocurrency to a specific wallet. GREASE adds an administrative account with a specific password. It’s possible they reused code snippets found online, but we haven't found any overlapping binary or source code signatures in anything publicly available.

The use of the cryptojacker, along with other evidence, such as English-to-Korean translator and an attacker changing someone's keyboard to Korean, points to North Korea as the sponsor of such a campaign. However, the researchers noted that a specific link could not be established.

"While we don't have any indication it is linked to a publicly reported DPRK [North Korea] actor group, the TTPs [Tools, Techniques, and Procedures] are similar to other campaigns and activity (i.e. the open source tools, the target types, the credential theft, the Ethereum cryptojacking, Korean keyboard/language settings, etc)," the researchers wrote in their email.

Earlier this year, Kaspersky Lab published a report that found phishing attacks against universities and school have been on the increase. The company found over 130 institutions in 16 different countries were targeted by these various phishing campaigns. (See Multiple Phishing Attacks Target Top Universities.)

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...