Stolen Pencil

Stolen Pencil is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.[1]

ID: G0086
Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1176Browser ExtensionsStolen Pencil victims are prompted to install malicious Google Chrome extensions which gave the threat actor the ability to read data from any website accessed.[1]
EnterpriseT1003Credential DumpingStolen Pencil gathers credentials using Moafee and Procdump.[1]
EnterpriseT1081Credentials in FilesStolen Pencil has used tools that are capable of obtaining credentials from saved mail and browser passwords.[1]
EnterpriseT1056Input CaptureStolen Pencil has a tool to log keystrokes to %userprofile%\appdata\roaming\apach.{txt,log}.[1]
EnterpriseT1040Network SniffingStolen Pencil has a tool to sniff the network for passwords.[1]
EnterpriseT1108Redundant AccessStolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP.[1]
EnterpriseT1076Remote Desktop ProtocolStolen Pencil utilized RDP for direct remote point-and-click access.[1]
EnterpriseT1192Spearphishing LinkStolen Pencil sent spearphishing emails containing links to domains controlled by the threat actor.[1]
EnterpriseT1078Valid AccountsStolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP.[1]

Software

IDNameReferencesTechniques
S0002Mimikatz[1]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0029PsExec[1]Service Execution, Windows Admin Shares

References