Asian hacker group uses Chrome extension to corrupt victims' systems

since last December, a Group of North Korean hackers in the category ATP, is suspected of using extension Google Chrome to attack its victims who are usually in academia.

We know that they are supported by a state but we do not know which one. It is very likely that it is the North Korean state.

This article will also interest you: 3 groups of North Korean pirates in contact with the Americans

What exactly are they doing? They use the Google extension to attack the victim's system in order to steal login credentials (passwords) and navigation cookies. what's strange is that this is the very first time that ATP-type hackers for Advanced Persistent Threat – "an industrial term for nation-state hacking groups. Uses Chrome extensions to carry out their attacks, even if it's not the first time a group of hackers has used a browser extension. One example is ATP Turla, which once carried out an attack with the Firefox browser extension in 2015.

This active North Korean hacker group has begun its phishing strategy via chrome extension May 2018. Using e-mail or other e-mail, hackers Computer scientists have managed to attract many of their victims on dummy sites, imitating those of university organizations.

one once on the fake site, victims were directed to a PDF document that he couldn't download when he was trying. So and head for a Chrome extension called "Auto Font Manager." An extension that doesn't exist today

Computer security researchers at NEtscout tried to explain the fact that the extension had the ability to steal not only user cookies but also words pass. They said it was becoming theft of emails, or accounts to be compromised.

essentially limited to academia, these hackers have not yet attacked another sector. "We have identified three universities U.S.-based and a non-profit institution based in Asia that have been targeted by this campaign (…) A large number of victims, several universities, had expertise in biomedical engineering, suggesting that may be a motivation to target attackers" observed the researchers Netscout. It was also discovered that the same servers that hosted these fake sites for this phishing campaign had previously hosted other sites that had already delivered to this exercise.

always according to the researchers, those responsible for this phishing campaign "Stolen Pencil" and the evidence gathered does not allow for doubting their nationality "Mistakes operational security issues have led users to find open web browsers in Korean, from English to Korean translators open on their machines and keyboards switched to Korean settings." However one thing seems strange. Indeed, our researchers "have not seen any evidence of data theft, but like any intrusion, we can't completely rule out this possibility. None of the tools or commands were specifically for the theft of information. They were focused on the flight login credentials and maintaining access. »

It is understandable about the interest that pirate groups can bring to academic institutions. However, what could be the cause of this particular attack?

Now access an unlimited number of passwords:

Check out our hacking software