Shares 1 IOC
STOLEN PENCIL Campaign Targets Academia
2018-12-05 • Arbornetworks •
https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/
NETSCOUT ASERT described STOLEN PENCIL as an APT campaign, possibly originating from DPRK, that had targeted academic institutions since at least May 2018. Victims received spear-phishing emails linking to actor-controlled sites that displayed lure documents and pushed a malicious Chrome Web Store extension presented as a “Font Manager,” with phishing infrastructure including domains such as client-message.com and North Korea-themed subdomains. After compromise, the operators focused on credential harvesting from browsers, process memory, network sniffing, and keyloggers, and in some cases set email forwarding while using RDP and built-in Windows tools for hands-on access rather than a conventional RAT. The report highlights academia-focused targeting, biomedical-engineering victim expertise, Korean-language OPSEC traces, malicious extension permissions over all browser URLs, and PE tools for keylogging, cryptojacking wallet replacement, administrator-account creation, and RDP enablement.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 173.248.170.149 | 2018-12-05 | 2019-04-26 |
| HASH | e5e8f74011167da1bf3247dae16ee605 | 2018-12-05 | 2018-12-05 |
| HASH | 2ec54216e79120ba9d6ed2640948ce43 | 2018-12-05 | 2018-12-05 |
| HASH | 2d8c16c1b00e565f3b99ff808287983e | 2018-12-05 | 2018-12-05 |
| HASH | fd14c377bf19ed5603b761754c388d72 | 2018-12-05 | 2018-12-05 |
| HASH | ab4a0b24f706e736af6052da540351d8 | 2018-12-05 | 2018-12-05 |
| HASH | 1bd173ee743b49cee0d5f89991fc7b91 | 2018-12-05 | 2018-12-05 |
| HASH | 09fabdc9aca558bb4ecf2219bb440d98 | 2018-12-05 | 2018-12-05 |
| HASH | 6a127b94417e224a237c25d0155e95d6 | 2018-12-05 | 2018-12-05 |
| HASH | af84eb2462e0b47d9595c21cf0e623a5 | 2018-12-05 | 2018-12-05 |
| HASH | 1cdb3f1da5c45ac94257dbf306b53157 | 2018-12-05 | 2018-12-05 |
| HASH | 52dbd041692e57790a4f976377adeade | 2018-12-05 | 2018-12-05 |
| HASH | 1d6ce0778cabecea9ac6b985435b268b | 2018-12-05 | 2018-12-05 |
| HASH | f082f689394ac71764bca90558b52c4e | 2018-12-05 | 2018-12-05 |
| HASH | 0569606a0a57457872b54895cf642143 | 2018-12-05 | 2018-12-05 |
| HASH | 9d1e11bb4ec34e82e09b4401cd37cf71 | 2018-12-05 | 2018-12-05 |
| HASH | 98de4176903c07b13dfa4849ec88686a | 2018-12-05 | 2018-12-05 |
| HASH | 5b32288e93c344ad5509e76967ce2b18 | 2018-12-05 | 2018-12-05 |
| HASH | ecda8838823680a0dfc9295bdc2e31fa | 2018-12-05 | 2018-12-05 |
| HASH | 4e0696d83fa1b0804f95b94fc7c5ec0b | 2018-12-05 | 2018-12-05 |
| HASH | 75dd30fd0c5cf23d4275576b43bbab2c | 2018-12-05 | 2018-12-05 |
| HASH | 8b8a2b271ded23c40918f0a2c410571d | 2018-12-05 | 2018-12-05 |
| DOMAIN | client-message.com | 2018-12-05 | 2018-12-05 |
| DOMAIN | secozco.com | 2018-12-05 | 2018-12-05 |
| DOMAIN | bizsonet.ayar.biz | 2018-12-05 | 2018-12-05 |
| DOMAIN | zwfaxi.com | 2018-12-05 | 2018-12-05 |
| DOMAIN | docsdriver.com | 2018-12-05 | 2018-12-05 |
| DOMAIN | tempdomain8899.com | 2018-12-05 | 2018-12-05 |
| DOMAIN | gworldtech.com | 2018-12-05 | 2018-12-05 |
| DOMAIN | world-paper.net | 2018-12-05 | 2018-12-05 |
| DOMAIN | grsvps.com | 2018-12-05 | 2018-12-05 |
| DOMAIN | pqexport.com | 2018-12-05 | 2018-12-05 |
| DOMAIN | bizsonet.com | 2018-12-05 | 2018-12-05 |
| DOMAIN | scaurri.com | 2018-12-05 | 2018-12-05 |
| DOMAIN | coreytrevathan.com | 2018-12-05 | 2018-12-05 |
| DOMAIN | itservicedesk.org | 2018-12-05 | 2018-12-05 |
| DOMAIN | client-screenfonts.com | 2018-12-05 | 2018-12-05 |
| IPv4 | 5.196.169.223 | 2018-12-05 | 2018-12-05 |
| IPv4 | 74.208.247.127 | 2018-12-05 | 2018-12-05 |
| IPv4 | 104.148.109.48 | 2018-12-05 | 2018-12-05 |
| IPv4 | 172.81.132.211 | 2018-12-05 | 2018-12-05 |
| IPv4 | 132.148.240.198 | 2018-12-05 | 2018-12-05 |
| IPv4 | 107.175.130.191 | 2018-12-05 | 2018-12-05 |
| IPv4 | 134.73.90.114 | 2018-12-05 | 2018-12-05 |