Stolen Pencil

Stolen Pencil is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.[1]

ID: G0086
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1176 Browser Extensions

Stolen Pencil victims are prompted to install malicious Google Chrome extensions which gave the threat actor the ability to read data from any website accessed.[1]

Enterprise T1003 Credential Dumping

Stolen Pencil gathers credentials using Moafee and Procdump.[1]

Enterprise T1503 Credentials from Web Browsers

Stolen Pencil has used tools that are capable of obtaining credentials from web browsers.[1]

Enterprise T1081 Credentials in Files

Stolen Pencil has used tools that are capable of obtaining credentials from saved mail.[1]

Enterprise T1056 Input Capture

Stolen Pencil has a tool to log keystrokes to %userprofile%\appdata\roaming\apach.{{txt,log}}.[1]

Enterprise T1040 Network Sniffing

Stolen Pencil has a tool to sniff the network for passwords.[1]

Enterprise T1108 Redundant Access

Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP.[1]

Enterprise T1076 Remote Desktop Protocol

Stolen Pencil utilized RDP for direct remote point-and-click access.[1]

Enterprise T1192 Spearphishing Link

Stolen Pencil sent spearphishing emails containing links to domains controlled by the threat actor.[1]

Enterprise T1078 Valid Accounts

Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP.[1]

Software

ID Name References Techniques
S0002 Mimikatz [1] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0029 PsExec [1] Service Execution, Windows Admin Shares

References