A new campaign, probably originating from Democratic People’s Republic of Korea, has been targeting educational institutions since at least may 2018.
Dubbed “STOLEN PENCIL,” the spear phishing campaign delivers emails that send unsuspecting users to a web site displaying a document that tricks them into putting in a malicious Google Chrome extension in order that the threat actors will then scavenge for credentials.
“In keeping with tried and true ways, the operators behind the stolen PENCIL campaign used spear-phishing as their initial intrusion vector,” a target of stolen PENCIL receives a spear-phishing message containing a link to at least one of many domains controlled by the threat actor.”
Once the malicious actors gain a footing, they use Microsoft’s Remote Desktop Protocol (RDP) for remote point-and-click access. This tactic indicates that someone – instead of an overseas access Trojan (RAT) with a command-and-control website – is truly behind the keyboard interacting with a compromised system. The threat actors are then ready to use an RDP to keep up persistence.
Additionally, the attackers have confidence integral Windows administrator tools and alternative business software package to sustain the attack. Once they need exploited the victim’s system, they leverage multiple ready-made sources, like method memory, internet browsers, network sniffing and key work, to reap passwords. Researchers haven’t nevertheless seen any proof of information felony, that has left them unable to work out the motivation of the attackers; but, several of the victims were specialists in medicine engineering.
“Using a mixture of purloined passwords, backdoor accounts, and a forced-open RDP service, the threat actors area unit seemingly to retain a footing on a compromised system,” the analysis team wrote.
While the ways and procedures of the threat actors are quite basic and that they have confidence ready-made tools, they spent loads of your time doing intelligence. additionally, the operators conjointly incontestable poor OPSEC and exposed their Korean language in each viewed websites and keyboard picks.