보안 프로그램 설치 과정에서 감염되는 TrollAgent (Kimsuky 그룹)

2024-02-16 Ahnlab TrollAgent (Kimsuky group) infected during security program installation process

https://asec.ahnlab.com/ko/61666/

Thumbnail for 보안 프로그램 설치 과정에서 감염되는 TrollAgent (Kimsuky 그룹)

AhnLab found that a South Korean construction association website was serving trojanized security installers during the login process, exposing users who installed NX_PRNMAN or earlier TrustPKI packages. The modified installers were signed with a valid D2Innovation certificate, were uploaded only during certain time windows, and AhnLab counted more than 3,000 infections from the samples it obtained. The payload set included TrollAgent, a Go-based DLL infostealer run through rundll32.exe, along with related backdoors that resemble malware previously tied to Kimsuky activity. TrollAgent steals system data, browser credentials, cookies, bookmarks, history, extensions, and other local information, then communicates with C2 servers hosted under multiple p-e.kr, kro.kr, and co.kr domains.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 9e75705b4930f50502bcbd740fc3ece1 2024-02-16 2024-07-15
HASH a67cf9add2905c11f5c466bc01d554b0 2024-02-16 2024-07-15
URL http://sa.netup.p-e.kr/index.php 2024-02-16 2024-07-15
URL http://dl.netup.p-e.kr/index.php 2024-02-16 2024-07-15
DOMAIN sa.netup.p-e.kr 2024-02-16 2024-07-15
DOMAIN dl.netup.p-e.kr 2024-02-16 2024-07-15
HASH 7457dc037c4a5f3713d9243a0dfb1a2c 2024-01-30 2024-07-15
HASH 88f183304b99c897aacfa321d58e1840 2024-01-30 2024-07-15
HASH 27ef6917fe32685fdf9b755eb8e97565 2024-01-30 2024-07-15
HASH 7b6d02a459fdaa4caa1a5bf741c4bd42 2024-01-30 2024-07-15
HASH c8e7b0d3b6afa22e801cacaf16b37355 2024-01-30 2024-07-15
URL http://qi.limsjo.p-e.kr/index.p… 2024-01-30 2024-07-15
URL http://ol.negapa.p-e.kr/index.p… 2024-01-30 2024-07-15
URL http://ai.negapa.p-e.kr/index.p… 2024-01-30 2024-07-15
URL http://ar.kostin.p-e.kr/index.p… 2024-01-30 2024-07-15
DOMAIN ai.negapa.p-e.kr 2024-01-30 2024-07-15
DOMAIN ar.kostin.p-e.kr 2024-01-30 2024-07-15
DOMAIN ol.negapa.p-e.kr 2024-01-30 2024-07-15
DOMAIN qi.limsjo.p-e.kr 2024-01-30 2024-07-15
HASH 2b678c0f59924ca90a753daa881e9fd3 2024-02-16 2024-03-25
HASH e4a6d47e9e60e4c858c1314d263aa317 2024-02-16 2024-03-25
HASH 4222492e069ac78a55d3451f4b9b9fca 2024-02-16 2024-03-25
HASH 4168ff8b0a3e2f7e9c96afb653d42a01 2024-02-16 2024-03-25
HASH 013c4ee2b32511b11ee9540bb0fdb9d1 2024-02-16 2024-03-25
HASH 9360a895837177d8a23b2e3f79508059 2024-02-16 2024-03-25
HASH 42ea65fda0f92bbeca5f4535155125c7 2024-02-16 2024-03-25
HASH b532f3dcc788896c4844f36eb6cee3d1 2024-02-16 2024-03-25
HASH 62fba369711087ea37ef0b0ab62f3372 2024-02-16 2024-03-25
HASH d67abe980a397a94e1715df6e64eedc8 2024-02-16 2024-03-25
HASH 8d4af59eebdcda10f3c88049bb097a3a 2024-02-16 2024-03-25
HASH b97abf7b17aeb4fa661594a4a1e5c77f 2024-02-16 2024-03-25
HASH 2aaa3f1859102aab35519f0d4c1585dd 2024-02-16 2024-03-25
HASH 035cf750c67de0ab2e6228409ac85ea3 2024-02-16 2024-03-25
HASH dc636da03e807258d2a10825780b4639 2024-02-16 2024-03-25
HASH 6097d030fe6f05ec0249e4d87b6be4a6 2024-02-16 2024-03-25
DOMAIN pe.daysol.p-e.kr 2024-02-16 2024-03-25
DOMAIN ce.aerosp.p-e.kr 2024-02-16 2024-03-25
DOMAIN ca.bananat.p-e.kr 2024-02-16 2024-03-25
DOMAIN viewer.appofficer.kro.kr 2024-02-16 2024-03-25
DOMAIN pi.selecto.p-e.kr 2024-02-16 2024-03-25
DOMAIN ai.selecto.p-e.kr 2024-02-16 2024-03-25
DOMAIN ai.ssungmin.p-e.kr 2024-02-16 2024-03-25
DOMAIN ai.daysol.p-e.kr 2024-02-16 2024-03-25
DOMAIN ai.bananat.p-e.kr 2024-02-16 2024-03-25
DOMAIN ai.kimyy.p-e.kr 2024-02-16 2024-03-25
DOMAIN li.ssungmin.p-e.kr 2024-02-16 2024-03-25
DOMAIN ai.aerosp.p-e.kr 2024-02-16 2024-03-25
DOMAIN ve.kimyy.p-e.kr 2024-02-16 2024-03-25
DOMAIN qa.jaychoi.p-e.kr 2024-02-16 2024-03-25
HASH 19c2decfa7271fa30e48d4750c1d18c1 2024-01-30 2024-03-25
HASH 87429e9223d45e0359cd1c41c0301836 2024-01-30 2024-03-25
DOMAIN ai.kostin.p-e.kr 2024-01-30 2024-03-25
DOMAIN coolsystem.co.kr 2024-01-30 2024-03-25
DOMAIN ai.limsjo.p-e.kr 2024-01-30 2024-03-25
URL http://ai.limsjo.p-e.kr/index.p… 2024-01-30 2024-03-05
URL http://ai.kostin.p-e.kr/index.p… 2024-01-30 2024-03-05
URL http://coolsystem.co.kr/admin/m… 2024-01-30 2024-03-05
URL http://pe.daysol.p-e.kr/index.p… 2024-02-16 2024-02-23
URL http://pi.selecto.p-e.kr/index.… 2024-02-16 2024-02-23
URL http://ai.aerosp.p-e.kr/index.p… 2024-02-16 2024-02-23
URL http://qa.jaychoi.p-e.kr/index.… 2024-02-16 2024-02-23
URL http://ai.ssungmin.p-e.kr/index… 2024-02-16 2024-02-23
URL http://ai.selecto.p-e.kr/index.… 2024-02-16 2024-02-23
URL http://ca.bananat.p-e.kr/index.… 2024-02-16 2024-02-23
URL http://ce.aerosp.p-e.kr/index.p… 2024-02-16 2024-02-23
URL http://ai.bananat.p-e.kr/index.… 2024-02-16 2024-02-23
URL http://ve.kimyy.p-e.kr/index.php 2024-02-16 2024-02-23
URL http://li.ssungmin.p-e.kr/index… 2024-02-16 2024-02-23
URL http://ai.kimyy.p-e.kr/index.php 2024-02-16 2024-02-23
URL http://ai.daysol.p-e.kr/index.p… 2024-02-16 2024-02-23
URL http://viewer.appofficer.kro.kr… 2024-02-16 2024-02-23

Related Actors

Related Reports

« Back