Stolen Pencil
Stolen Pencil is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.[1]
ID: G0086
Version: 1.0
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| Enterprise | T1176 | Browser Extensions | Stolen Pencil victims are prompted to install malicious Google Chrome extensions which gave the threat actor the ability to read data from any website accessed.[1] |
| Enterprise | T1003 | Credential Dumping | Stolen Pencil gathers credentials using Moafee and Procdump.[1] |
| Enterprise | T1081 | Credentials in Files | Stolen Pencil has used tools that are capable of obtaining credentials from saved mail.[1] |
| Enterprise | T1056 | Input Capture | Stolen Pencil has a tool to log keystrokes to %userprofile%\appdata\roaming\apach.{txt,log}.[1] |
| Enterprise | T1040 | Network Sniffing | Stolen Pencil has a tool to sniff the network for passwords.[1] |
| Enterprise | T1108 | Redundant Access | Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP.[1] |
| Enterprise | T1076 | Remote Desktop Protocol | Stolen Pencil utilized RDP for direct remote point-and-click access.[1] |
| Enterprise | T1192 | Spearphishing Link | Stolen Pencil sent spearphishing emails containing links to domains controlled by the threat actor.[1] |
| Enterprise | T1078 | Valid Accounts | Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP.[1] |