Stolen Pencil
Stolen Pencil is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.[1]
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| Enterprise | T1176 | Browser Extensions |
Stolen Pencil victims are prompted to install malicious Google Chrome extensions which gave the threat actor the ability to read data from any website accessed.[1] |
| Enterprise | T1003 | Credential Dumping |
Stolen Pencil gathers credentials using Moafee and Procdump.[1] |
| Enterprise | T1503 | Credentials from Web Browsers |
Stolen Pencil has used tools that are capable of obtaining credentials from web browsers.[1] |
| Enterprise | T1081 | Credentials in Files |
Stolen Pencil has used tools that are capable of obtaining credentials from saved mail.[1] |
| Enterprise | T1056 | Input Capture |
Stolen Pencil has a tool to log keystrokes to %userprofile%\appdata\roaming\apach.{{txt,log}}.[1] |
| Enterprise | T1040 | Network Sniffing |
Stolen Pencil has a tool to sniff the network for passwords.[1] |
| Enterprise | T1108 | Redundant Access |
Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP.[1] |
| Enterprise | T1076 | Remote Desktop Protocol |
Stolen Pencil utilized RDP for direct remote point-and-click access.[1] |
| Enterprise | T1192 | Spearphishing Link |
Stolen Pencil sent spearphishing emails containing links to domains controlled by the threat actor.[1] |
| Enterprise | T1078 | Valid Accounts |
Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP.[1] |