Stolen Pencil
Stolen Pencil is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1176 | Browser Extensions |
Stolen Pencil victims are prompted to install malicious Google Chrome extensions which gave the threat actor the ability to read data from any website accessed. [1] |
|
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Stolen Pencil has used tools that are capable of obtaining credentials from web browsers.[1] |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Stolen Pencil has a tool to log keystrokes to %userprofile%\appdata\roaming\apach.{{txt,log}}. [1] |
| Enterprise | T1040 | Network Sniffing |
Stolen Pencil has a tool to sniff the network for passwords. [1] |
|
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Stolen Pencil gathers credentials using Mimikatz and Procdump. [1] |
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
Stolen Pencil sent spearphishing emails containing links to domains controlled by the threat actor.[1] |
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Stolen Pencil utilized RDP for direct remote point-and-click access. [1] |
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
Stolen Pencil has used tools that are capable of obtaining credentials from saved mail.[1] |
| Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP. [1] |