Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer

2024-02-07 S2W

https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-35b3cd961f91

Thumbnail for Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer

S2W Talon assesses that Kimsuky or a closely related cluster distributed Troll Stealer through installers masquerading as SGA Solutions security software on a Korean download page. The dropper and decoy installer were signed with a valid D2innovation Co.,LTD certificate, dropped a VMProtect-packed Go DLL, and ran it through rundll32 while showing the victim a normal TrustPKI or NX_PRNMAN installer. Troll Stealer gathers SSH, FileZilla, Microsoft Sticky Notes, GPKI, browser, screenshot, and system data, encrypts the files, and sends them to C2 endpoints such as qi.limsjo.p-e.kr and ai.limsjo.p-e.kr. S2W links the malware to Kimsuky tradecraft through similarities with AppleSeed and AlphaSeed, while noting that some TTP differences leave room for a closely aligned operator.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 2e0ffaab995f22b7684052e53b8c64b… 2024-02-07 2024-07-15
HASH 7457dc037c4a5f3713d9243a0dfb1a2c 2024-01-30 2024-07-15
HASH 88f183304b99c897aacfa321d58e1840 2024-01-30 2024-07-15
HASH 27ef6917fe32685fdf9b755eb8e97565 2024-01-30 2024-07-15
HASH 7b6d02a459fdaa4caa1a5bf741c4bd42 2024-01-30 2024-07-15
HASH c8e7b0d3b6afa22e801cacaf16b37355 2024-01-30 2024-07-15
URL http://qi.limsjo.p-e.kr/index.p… 2024-01-30 2024-07-15
URL http://ol.negapa.p-e.kr/index.p… 2024-01-30 2024-07-15
URL http://ai.negapa.p-e.kr/index.p… 2024-01-30 2024-07-15
URL http://ar.kostin.p-e.kr/index.p… 2024-01-30 2024-07-15
DOMAIN ai.negapa.p-e.kr 2024-01-30 2024-07-15
DOMAIN ar.kostin.p-e.kr 2024-01-30 2024-07-15
DOMAIN ol.negapa.p-e.kr 2024-01-30 2024-07-15
DOMAIN qi.limsjo.p-e.kr 2024-01-30 2024-07-15
HASH bc4c1c869a03045e0b594a258ec3801… 2024-02-07 2024-05-16
IPv4 216.189.159.197 2024-02-07 2024-03-25
HASH 19c2decfa7271fa30e48d4750c1d18c1 2024-01-30 2024-03-25
HASH 87429e9223d45e0359cd1c41c0301836 2024-01-30 2024-03-25
DOMAIN ai.kostin.p-e.kr 2024-01-30 2024-03-25
DOMAIN coolsystem.co.kr 2024-01-30 2024-03-25
DOMAIN ai.limsjo.p-e.kr 2024-01-30 2024-03-25
URL http://ai.limsjo.p-e.kr/index.p… 2024-01-30 2024-03-05
URL http://ai.kostin.p-e.kr/index.p… 2024-01-30 2024-03-05
URL http://coolsystem.co.kr/admin/m… 2024-01-30 2024-03-05
HASH d6abeeb469e2417bbcd3c122c06ba099 2023-11-21 2024-03-05
HASH f8ab78e1db3a3cc3793f7680a90dc1d… 2024-02-07 2024-02-08
HASH 6eebb5ed0d0b5553e40a7b1ad739589… 2024-02-07 2024-02-08
HASH a8c24a3e54a4b323973f61630c92eca… 2024-02-07 2024-02-08
HASH 955cb4f01eb18f0d259fcb962e36a33… 2024-02-07 2024-02-08
HASH 61b8fbea8c0dfa337eb7ff978124ddf… 2024-02-07 2024-02-08
HASH ff3718ae6bd59ad479e375c602a8181… 2024-02-07 2024-02-08

Related Actors

Related Reports

2024-07-19 • 53% Match
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584
Shares tags: Kimsuky, T1082, T1059.003
« Back