STOLEN PENCIL Campaign Targets Academia

description: ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018. The ultimate motivation behind the attacks is unclear, but the threat actors are adept at scavenging for credentials. Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension. Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access.

publish date:

reference :

IOC Table
total 50
type value
domain bizsonet.com
domain client-message.com
domain client-screenfonts.com
domain grsvps.com
domain itservicedesk.org
domain pqexport.com
domain scaurri.com
domain secozco.com
domain sharedriver.pw
domain sharedriver.us
domain tempdomain8899.com
domain world-paper.net
domain zwfaxi.com
FileHash-MD5 0569606a0a57457872b54895cf642143
FileHash-MD5 09fabdc9aca558bb4ecf2219bb440d98
FileHash-MD5 1bd173ee743b49cee0d5f89991fc7b91
FileHash-MD5 1cdb3f1da5c45ac94257dbf306b53157
FileHash-MD5 1d6ce0778cabecea9ac6b985435b268b
FileHash-MD5 2d8c16c1b00e565f3b99ff808287983e
FileHash-MD5 2ec54216e79120ba9d6ed2640948ce43
FileHash-MD5 4e0696d83fa1b0804f95b94fc7c5ec0b
FileHash-MD5 52dbd041692e57790a4f976377adeade
FileHash-MD5 5b32288e93c344ad5509e76967ce2b18
FileHash-MD5 6a127b94417e224a237c25d0155e95d6
FileHash-MD5 75dd30fd0c5cf23d4275576b43bbab2c
FileHash-MD5 8b8a2b271ded23c40918f0a2c410571d
FileHash-MD5 98de4176903c07b13dfa4849ec88686a
FileHash-MD5 9d1e11bb4ec34e82e09b4401cd37cf71
FileHash-MD5 ab4a0b24f706e736af6052da540351d8
FileHash-MD5 af84eb2462e0b47d9595c21cf0e623a5
FileHash-MD5 e5e8f74011167da1bf3247dae16ee605
FileHash-MD5 ecda8838823680a0dfc9295bdc2e31fa
FileHash-MD5 f082f689394ac71764bca90558b52c4e
FileHash-MD5 fd14c377bf19ed5603b761754c388d72
hostname aswewd.docsdriver.com
hostname bizsonet.ayar.biz
hostname facebook.docsdriver.com
hostname falken.docsdriver.com
hostname finder.docsdriver.com
hostname government.docsdriver.com
hostname keishancowan.docsdriver.com
hostname korean-summit.docsdriver.com
hostname mofa.docsdriver.com
hostname northkorea.docsdriver.com
hostname o365.docsdriver.com
hostname observatoireplurilinguisnorthkorea.docsdriver.com
hostname oodwd.docsdriver.com
hostname twitter.docsdriver.com
hostname whois.docsdriver.com
hostname www.docsdriver.com