“We say ‘new’ threat,” says Bryan Hamman, territory manager for sub-Saharan Africa at Netscout Arbor, which specialises in advanced distributed denial of service (DDoS) protection solutions, “but it actually seems to have been around for about the latter half of last year. This is according to Netscout Arbor’s Security Engineering and Response Team (ASERT), which uncovered the APT campaign and can assist in protecting against it.”
Hamman clarifies that according to ASERT, the APT campaign possibly originates from North Korea and has been targeting academic institutions since May 2018. The motivation behind the attacks is unclear but the threat actors have been very good at illicitly getting hold of credentials.
“Targets are sent spear phishing e-mails that lead them to a website displaying a lure document and are immediately prompted to install a malicious Google Chrome extension,” he explains.
“Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Microsoft’s Remote Desktop Protocol (RDP) to maintain access. These malicious Chrome extensions – which have since been removed from the Chrome Web Store – declare permissions to run on every URL in the browser.”
Some of the domains used for phishing, as identified by ASERT, include the following (with other sub-domains also identified):
The key findings of ASERT’s research include the following points:
ASERT’s recommendations to security teams are as follows:
“Because it appears that no data has been stolen, this would indicate that the goal of the operation is to maintain persistent access. The ASERT team assessed with high confidence that the goal was to steal browser cookies and passwords. E-mail forwarding was also observed on some compromised accounts. Traditionally, North Korean hackers have been known for stealing money to finance the rule of Kim Jong Un, but this recent ASERT research shows that the stakes may be changing, and that North Korea may now also be targeting universities in its latest espionage campaign. To this end, it’s important to know that NETSCOUT Arbor APS enterprise security products detect and block activity related to STOLEN PENCIL using our ATLAS Intelligence Feed,” concludes Hamman.