Stolen Pencil Trojan

Stolen Pencil, also known as Stolepen, is a trojan that targets devices using Google Chrome on Microsoft Windows. It was first observed in May 2018.

Stolen Pencil is distributed through a spear phishing campaign that contains a malicious PDF attachment. Once opened, the PDF will prompt the user to install a malicious Chrome extension.

The malicious extensions are now removed from the Chrome Web Store, they did contain 5 star reviews left by the threat actor using compromised Google+ accounts.

Once installed, Stolen Pencil will log keystrokes and replace Ethereum wallet addresses with the attacker’s own wallet. The malware will also create administrator accounts, enable Remote Desktop Protocol (RDP) on the compromised device, and then add RDP as an exception to firewall rules.

Indicators Of Compromise

  • client-message[.]com
  • world-paper[.]net
  • docsdriver[.]com
  • grsvps[.]com
  • coreytrevathan[.]com
  • gworldtech[.]com
  • aswewd.docsdriver[.]com
  • facebook.docsdriver[.]com
  • falken.docsdriver[.]com
  • finder.docsdriver[.]com
  • government.docsdriver[.]com
  • keishancowan.docsdriver[.]com
  • korean-summit.docsdriver[.]com
  • mofa.docsdriver[.]com
  • northkorea.docsdriver[.]com
  • o365.docsdriver[.]com
  • observatoireplurilinguisnorthkorea.docsdriver[.]com
  • oodwd.docsdriver[.]com
  • twitter.docsdriver[.]com
  • whois.docsdriver[.]com
  • www.docsdriver[.]com
  • 104.148.109[.]48
  • 107.175.130[.]191
  • 132.148.240[.]198
  • 134.73.90[.]114
  • 172.81.132[.]211
  • 173.248.170[.]149
  • 5.196.169[.]223
  • 74.208.247[.]127
  • 92.222.212[.]0

MECHANICAL hashes

9d1e11bb4ec34e82e09b4401cd37cf71
8b8a2b271ded23c40918f0a2c410571d

GREASE hashes

2ec54216e79120ba9d6ed2640948ce43
6a127b94417e224a237c25d0155e95d6
fd14c377bf19ed5603b761754c388d72
1d6ce0778cabecea9ac6b985435b268b
ab4a0b24f706e736af6052da540351d8
f082f689394ac71764bca90558b52c4e
ecda8838823680a0dfc9295bdc2e31fa
1cdb3f1da5c45ac94257dbf306b53157
2d8c16c1b00e565f3b99ff808287983e
5b32288e93c344ad5509e76967ce2b18
4e0696d83fa1b0804f95b94fc7c5ec0b
af84eb2462e0b47d9595c21cf0e623a5
75dd30fd0c5cf23d4275576b43bbab2c
98de4176903c07b13dfa4849ec88686a
09fabdc9aca558bb4ecf2219bb440d98
1bd173ee743b49cee0d5f89991fc7b91
e5e8f74011167da1bf3247dae16ee605
0569606a0a57457872b54895cf642143
52dbd041692e57790a4f976377adeade

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: