Kimsuky APT: The TrollAgent Stealer Analysis

2024-07-15 • Darkatlas •

https://darkatlas.io/blog/kimsuky-apt-the-trollagent-stealer-analysis

#Kimsuky #TrollAgent #T1082 #T1059.003 #T1005 #T1070.004 #T1041 #T1113 #T1071.001 #T1083 #T1036 #T1555.003 #T1057 #T1518.001 #T1539 #T1027.002 #T1016 #T1087.001 #T1218.011

Thumbnail for Kimsuky APT: The TrollAgent Stealer Analysis

Dark Atlas analyzed Kimsuky's TrollAgent stealer campaign against South Korean targets, with samples compiled in late 2023 and activity tracked from January 2024. The installer used digital signatures from SGA Solutions and D2innovation, dropped a Go-based VMProtect-protected DLL, removed the initial installer with a batch file, and used a ProgramData file tied to the DLL export name as an execution check. TrollAgent created the mutex "chrome development kit 1.0", built a victim profile from the MAC address and version string "[email protected]", encrypted collected data with RSA, and uploaded it to C2 infrastructure. The report identified C2 URLs at sa[.]netup.p-e[.]kr and dl[.]netup.p-e[.]kr and described collection functions for victim data and follow-on work.

Indicators of Compromise

Type	Value	First Seen	Last Seen
YARA	TrollAgent_Kimsuky_Stealer	2024-07-15	2024-07-15
HASH	2e5f2a154e1b67cd0d6a2f6b5feb6de7	2024-07-15	2024-07-15
HASH	3b596ca429cf1b733f1ff3676189e44a	2024-07-15	2024-07-15
HASH	045f28a479ba19a95c0407a663e2f188	2024-07-15	2024-07-15
HASH	9e75705b4930f50502bcbd740fc3ece1	2024-02-16	2024-07-15
HASH	a67cf9add2905c11f5c466bc01d554b0	2024-02-16	2024-07-15
URL	http://sa.netup.p-e.kr/index.php	2024-02-16	2024-07-15
URL	http://dl.netup.p-e.kr/index.php	2024-02-16	2024-07-15
DOMAIN	sa.netup.p-e.kr	2024-02-16	2024-07-15
DOMAIN	dl.netup.p-e.kr	2024-02-16	2024-07-15
HASH	2e0ffaab995f22b7684052e53b8c64b…	2024-02-07	2024-07-15
HASH	7457dc037c4a5f3713d9243a0dfb1a2c	2024-01-30	2024-07-15
HASH	88f183304b99c897aacfa321d58e1840	2024-01-30	2024-07-15
HASH	27ef6917fe32685fdf9b755eb8e97565	2024-01-30	2024-07-15
HASH	7b6d02a459fdaa4caa1a5bf741c4bd42	2024-01-30	2024-07-15
HASH	c8e7b0d3b6afa22e801cacaf16b37355	2024-01-30	2024-07-15
URL	http://qi.limsjo.p-e.kr/index.p…	2024-01-30	2024-07-15
URL	http://ol.negapa.p-e.kr/index.p…	2024-01-30	2024-07-15
URL	http://ai.negapa.p-e.kr/index.p…	2024-01-30	2024-07-15
URL	http://ar.kostin.p-e.kr/index.p…	2024-01-30	2024-07-15
DOMAIN	ai.negapa.p-e.kr	2024-01-30	2024-07-15
DOMAIN	ar.kostin.p-e.kr	2024-01-30	2024-07-15
DOMAIN	ol.negapa.p-e.kr	2024-01-30	2024-07-15
DOMAIN	qi.limsjo.p-e.kr	2024-01-30	2024-07-15

Related Actors

Kimsuky

Kaspersky

First seen: Sep 2013

Last seen: Jun 2026

Related Reports

2024-02-08 • 79% Match

Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer…

S2W

#Kimsuky #D2Innovation #TrollStealer #T1082 #T1059.003 #T1005 #T1041 #T1113 #T1560 #T1071.001 #T1083 #T1204.002 #T1555.003 #T1057 #T1518.001 #T1539 #T1059.001 #T1027.002 #T1016 #T1087.001 #T1588.004

Shares tags: Kimsuky, T1082, T1059.003 • Shares 14 IOCs

2024-02-07 • 79% Match

Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer

S2W

Shares tags: Kimsuky, T1082, T1059.003 • Shares 14 IOCs

2024-07-19 • 71% Match

APT Quarterly Highlights : Q2 2024

Cyfirma

#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584

Shares tags: Kimsuky, T1082, T1059.003 • Published within a week

2024-09-12 • 61% Match

APT PROFILE – KIMSUKY

Cyfirma

#Kimsuky #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003

Shares tags: Kimsuky, T1082, T1059.003

2024-02-23 • 60% Match