STOLEN PENCIL Campaign Targets Academia
Contents
STOLEN PENCIL Campaign Targets Academia
Executive Summary
ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018. The ultimate motivation behind the attacks is unclear, but the threat actors are adept at scavenging for credentials. Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension. Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access.
NOTE: NetScout AED/APS enterprise security products detect, and block activity related to STOLEN PENCIL using our ATLAS Intelligence Feed (AIF).
Key Findings
- A wide variety of phishing domains imply other targets, but those focused on academia were intended to install a malicious Chrome extension.
- A large number of the victims, across multiple universities, had …
Executive Summary
ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018. The ultimate motivation behind the attacks is unclear, but the threat actors are adept at scavenging for credentials. Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension. Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access.
NOTE: NetScout AED/APS enterprise security products detect, and block activity related to STOLEN PENCIL using our ATLAS Intelligence Feed (AIF).
Key Findings
- A wide variety of phishing domains imply other targets, but those focused on academia were intended to install a malicious Chrome extension.
- A large number of the victims, across multiple universities, had …
IoC
0569606a0a57457872b54895cf642143
09fabdc9aca558bb4ecf2219bb440d98
104.148.109.48
107.175.130.191
132.148.240.198
134.73.90.114
172.81.132.211
173.248.170.149
1bd173ee743b49cee0d5f89991fc7b91
1cdb3f1da5c45ac94257dbf306b53157
1d6ce0778cabecea9ac6b985435b268b
2d8c16c1b00e565f3b99ff808287983e
2ec54216e79120ba9d6ed2640948ce43
33883E87807d6e71fDc24968cefc9b0d10aC214E
4e0696d83fa1b0804f95b94fc7c5ec0b
5.196.169.223
52dbd041692e57790a4f976377adeade
5b32288e93c344ad5509e76967ce2b18
6a127b94417e224a237c25d0155e95d6
74.208.247.127
75dd30fd0c5cf23d4275576b43bbab2c
8b8a2b271ded23c40918f0a2c410571d
92.222.212.0
98de4176903c07b13dfa4849ec88686a
9d1e11bb4ec34e82e09b4401cd37cf71
ab4a0b24f706e736af6052da540351d8
af84eb2462e0b47d9595c21cf0e623a5
e5e8f74011167da1bf3247dae16ee605
ecda8838823680a0dfc9295bdc2e31fa
f082f689394ac71764bca90558b52c4e
fd14c377bf19ed5603b761754c388d72
http://104.148.109.48
http://107.175.130.191
http://132.148.240.198
http://134.73.90.114
http://172.81.132.211
http://173.248.170.149
http://5.196.169.223
http://74.208.247.127
http://92.222.212.0
http://bizsonet.ayar.biz
http://bizsonet.com
http://client-message.com
http://client-screenfonts.com
http://coreytrevathan.com
http://docsdriver.com
http://grsvps.com
http://gworldtech.com
http://itservicedesk.org
http://pqexport.com
http://scaurri.com
http://secozco.com
http://sharedriver.pw
http://sharedriver.us
http://tempdomain8899.com
http://world-paper.net
http://zwfaxi.com
09fabdc9aca558bb4ecf2219bb440d98
104.148.109.48
107.175.130.191
132.148.240.198
134.73.90.114
172.81.132.211
173.248.170.149
1bd173ee743b49cee0d5f89991fc7b91
1cdb3f1da5c45ac94257dbf306b53157
1d6ce0778cabecea9ac6b985435b268b
2d8c16c1b00e565f3b99ff808287983e
2ec54216e79120ba9d6ed2640948ce43
33883E87807d6e71fDc24968cefc9b0d10aC214E
4e0696d83fa1b0804f95b94fc7c5ec0b
5.196.169.223
52dbd041692e57790a4f976377adeade
5b32288e93c344ad5509e76967ce2b18
6a127b94417e224a237c25d0155e95d6
74.208.247.127
75dd30fd0c5cf23d4275576b43bbab2c
8b8a2b271ded23c40918f0a2c410571d
92.222.212.0
98de4176903c07b13dfa4849ec88686a
9d1e11bb4ec34e82e09b4401cd37cf71
ab4a0b24f706e736af6052da540351d8
af84eb2462e0b47d9595c21cf0e623a5
e5e8f74011167da1bf3247dae16ee605
ecda8838823680a0dfc9295bdc2e31fa
f082f689394ac71764bca90558b52c4e
fd14c377bf19ed5603b761754c388d72
http://104.148.109.48
http://107.175.130.191
http://132.148.240.198
http://134.73.90.114
http://172.81.132.211
http://173.248.170.149
http://5.196.169.223
http://74.208.247.127
http://92.222.212.0
http://bizsonet.ayar.biz
http://bizsonet.com
http://client-message.com
http://client-screenfonts.com
http://coreytrevathan.com
http://docsdriver.com
http://grsvps.com
http://gworldtech.com
http://itservicedesk.org
http://pqexport.com
http://scaurri.com
http://secozco.com
http://sharedriver.pw
http://sharedriver.us
http://tempdomain8899.com
http://world-paper.net
http://zwfaxi.com