North Korean APT Group Targets Academia via Malicious Chrome Extensions

Security researchers have uncovered an APT group with possible ties to North Korea that has targeted academic institutions since May.

The group, dubbed Stolen Pencil by researchers from Netscout, send spear-phishing emails which direct users to a website that asks them to install a “font manager” Chrome extension in order to view a document.

The researchers found multiple Chrome extensions used by the group that were hosted in the Google Chrome Store and had received favorable reviews from fake accounts set up by the attackers.

A large number of victims from the targeted universities had expertise in biomedical engineering, suggesting that this domain is a focus for the attackers. However, researchers haven’t found evidence of data theft, so the group’s end goal is not yet clear. In addition, some phishing domains set up by the group suggest that users from other sectors might have also been targeted.

The malicious extensions (now removed) requested permission to access data on all websites and were being used to steal credentials and authentication cookies. In some cases, they were also used to set up email forwarding rules in victims’ email accounts.

After gaining a foothold on computers, attackers used a variety of off-the-shelf tools to achieve persistence and steal other local credentials. A common technique used by the group was to enable Remote Desktop Access and control the computers through RDP sessions.

Some custom tools used by the group were signed with a digital code signing certificate belonging to an entity called EGIS Co. that has since been revoked. However, the researchers also found a ZIP archive that contained a variety of common password recovery tools.

“While we were able to gain insight into the threat actor’s TTPs (Tools, Techniques, & Procedures) behind STOLEN PENCIL, this is clearly just a small window into their activity,” the Netscout researchers said in their report. “Their techniques are relatively basic, and much of their toolset consists of off-the-shelf programs and living off the land. This, along with the presence of the cryptojacker, is typical of DPRK tradecraft.”

Stolen Pencil is not the only group with a focus on academia. In March, the U.S. Department of Justice indicted nine Iranian nationals for cyberattacks that resulted in the theft of more than 30TB of data from 144 universities in the United States and 176 universities from 21 other countries.

Adobe Releases Emergency Patch for Flash Player Zero-Day Exploit

Adobe has released an out-of-band update for Flash Player to fix two vulnerabilities, one of which was recently discovered in a zero-day exploit.

The exploit was embedded as an Active X object inside a Word document that masqueraded as an employee questionnaire from a Russian state healthcare clinic. The document was uploaded to the VirusTotal online scanner last week from an IP address in Ukraine and was spotted by researchers from Gigamon and Qihoo 360.

According to Qihoo 360, the document arrives in a .rar archive and, when opened, prompts users to execute the Flash content. If the embedded object is allowed to execute, it exploits a previously unknown use-after-free vulnerability in Flash Player.

The final payload was a backdoor that disguised itself as NVIDIAControlPanel.exe and was digitally signed with a certificate that is now revoked.

“Automated analysis of VirusTotal samples originally prioritized ’22.docx’ for manual analysis, leading to its discovery as a zero-day exploit document and ATR’s submission to Adobe within 2 hours of receipt,” the Gigamon researchers said in a report.

Using metadata from the first document, the researchers located a second document called 33.docx that was also submitted to VirusTotal by the same individual from the same country shortly after the first document was uploaded.

The exploit and payload have strong similarities to exploit techniques and code leaked from Italian surveillance company HackingTeam in 2015.

Adobe tracks this vulnerability as CVE-2018-15982 and fixed in it the newly released Flash Player 32.0.0.101 for all platforms. The new version also patches a DLL hijacking flaw, CVE-2018-15983, that can be used by privilege escalation.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin