Stolen Pencil Malware Campaign

Original Issue Date:- December 10, 2018
Virus Type:- Trojan
Severity:- Medium

A Targeted attack campaign (named as Stolen Pencil) is reported whose motivation is to steal the credentials from victim machine which they used in later stage for performing malicious activity. The initial mode of infection is through phishing mail which install a malicious Chrome extension on victim machine.

  • These malicious chrome extension performed many malicious activities like read data from every site visit by victim, steal browser cookie, passwords and also do Email forwarding on some compromised accounts.
  • After getting victim credentials, attacker build connection to victim machine using RDP instead of RAT (Remote administrator tool) to remain undetected.
  • Attackers reportedly used many tool for stealing the credentials from victim machine like KPortScan, PsExec, Mimikatz, NirsoftSniffPass,Nirsoft WebBrowserPassView, etc. which were found in zip file from the victim machine. Attacker also used stolen certificate for using some of its tool. The indicators of compromise of this campaign:

Indicators of Compromise:


  • 104.148.109[.]48
  • 107.175.130[.]191
  • 132.148.240[.]198
  • 134.73.90[.]114
  • 172.81.132[.]211
  • 173.248.170[.]149
  • 5.196.169[.]223
  • 74.208.247[.]127
  • 92.222.212[.]0


  • 9d1e11b b4ec34e82e09b4401cd37cf71
  • 8b8a2b271ded23c40918f0a2c410571d
  • fd14c377bf19ed5603b761754c388d72
  • 1d6ce0778cabecea9ac6b985435b268b
  • ab4a0b24f706e736af6052da540351d8
  • f082f689394ac71764bca90558b52c4e
  • ecda8838823680a0dfc9295bdc2e31fa
  • 1cdb3f1da5c45ac94257dbf306b53157
  • 2d8c16c1b00e565f3b99ff808287983e
  • 5b32288e93c344ad5509e76967ce2b18
  • 4e0696d83fa1b0804f95b94fc7c5ec0b
  • af84eb2462e0b47d9595c21cf0e623a5
  • 75dd30fd0c5cf23d4275576b43bbab2c
  • 98de4176903c07b13dfa4849ec88686a
  • 09fabdc9aca558bb4ecf2219bb440d98
  • 1bd173ee743b49cee0d5f89991fc7b91
  • e5e8f74011167da1bf3247dae16ee605
  • 0569606a0a57457872b54895cf642143
  • 52dbd041692e57790a4f976377adeade


  • bizsonet.ayar[.]biz
  • bizsonet[.]com
  • client-message[.]com
  • client-screenfonts[.]com
  • *.coreytrevathan[.]com(possibly compromised legitimate site)
  • docsdriver[.]com
  • grsvps[.]com
  • *.gworldtech[.]com(possibly compromised legitimate site)
  • itservicedesk[.]org
  • pqexport[.]com
  • scaurri[.]com
  • secozco[.]com
  • sharedriver[.]pw
  • sharedriver[.]us
  • tempdomain8899[.]com
  • world-paper[.]net
  • zwfaxi[.]com
    Stolen Certificate Installed in victim machine
  • EGIS Co., Ltd having serial no 0F FF E4 32 A5 3F F0 3B 92 23 F8 8B E1 B8 3D 9D


  • Users are advised to regularly review the extension installed in their system (by click on the More button > Tools >Extensions) and manually remove any unwanted or suspicious extension they found in their browser. Users can also use the Chrome Clean up tool from below mentioned link.
  • Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389) and if required then implant proper policies while using it and also monitor all the traffic route through RDP.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). Monitor user's web browsing habits; restrict access to sites with unfavourable content.
  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
  • Block the attachments of file types: exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  • Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.
  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
  • Restrict execution of Power shell /WSCRIPT in enterprise environment. Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.