Malicious Chrome extension which sloppily spied on academics believed to originate from North Korea

Computer users are being reminded once again to take care of the browser extensions they install after security experts discovered a hacking campaign that has been targeting academic institutions since at least May 2018.

Researchers at Netscout have warned of a state-sponsored attack dubbed “Stolen Pencil” that is thought to originate from North Korea.

The state-sponsored attack is relatively unusual for its use a malicious Google Chrome browser extension.

The hackers are said to have sent out emails to their targeted victims posing as academic institutions in order to trick them into clicking on a link.

In a message posted in September, one Twitter user described how they had received an email claiming to come from Dartmouth College. The email, which used the subject of nuclear deterrence as a lure, encouraged the recipient to visit a web link that contained a benign PDF file.

Upon reaching the webpage, the targeted user would be redirected to the installation page of a malicious browser extension called “Font Manager” in the Chrome Web Store.

In an attempt to increase the likelihood of targeted users installing the browser extension, Font Manager’s entry in the Chrome Web Store was accompanied by many “five star” reviews copied from other extensions. Amusingly, even the text of poor reviews was copied by those attempting to make their extension appear more reputable – which presumably wasn’t their intention.

Once in place, the extension was able to steal cookies and passwords from users’ Chrome browser sessions. Some compromised computers were also found to have had their email forwarded.

Researchers realized that the servers used to host the phishing sites had previously been used in other attacks that had compromised university networks.

Malware used in the campaign was designed to log keystrokes, hijack Ethereum cryptocurrency transactions and allow hackers to gain (Read more...)