Stolen Pencil

Stolen Pencil is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.[1]

ID: G0086
Version: 1.1
Created: 05 February 2019
Last Modified: 20 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1176 Browser Extensions

Stolen Pencil victims are prompted to install malicious Google Chrome extensions which gave the threat actor the ability to read data from any website accessed. [1]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Stolen Pencil has used tools that are capable of obtaining credentials from web browsers.[1]

Enterprise T1056 .001 Input Capture: Keylogging

Stolen Pencil has a tool to log keystrokes to %userprofile%\appdata\roaming\apach.{{txt,log}}. [1]

Enterprise T1040 Network Sniffing

Stolen Pencil has a tool to sniff the network for passwords. [1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Stolen Pencil gathers credentials using Mimikatz and Procdump. [1]

Enterprise T1566 .002 Phishing: Spearphishing Link

Stolen Pencil sent spearphishing emails containing links to domains controlled by the threat actor.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Stolen Pencil utilized RDP for direct remote point-and-click access. [1]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Stolen Pencil has used tools that are capable of obtaining credentials from saved mail.[1]

Enterprise T1078 .003 Valid Accounts: Local Accounts

Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP. [1]

Software

ID Name References Techniques
S0002 Mimikatz

[1]

Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec

[1]

Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution

References