Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer…

2024-02-08 S2W

https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2

Thumbnail for Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer…

S2W Talon analyzed Troll Stealer, a Go-based infostealer distributed from a Korean security program download flow that redirected users to installers for products such as TrustPKI and NX_PRNMAN. Only some installers on the site were modified, and the dropper ran the legitimate installer while loading a malicious DLL signed with a valid D2innovation certificate, suggesting certificate theft. Troll Stealer collects SSH, FileZilla, browser, C drive, system, and screenshot data before sending it to C2 infrastructure, and its GPKI-stealing capability points to interest in South Korean public or administrative systems. S2W assessed Kimsuky involvement because the malware shares collection commands and encryption patterns with AppleSeed and AlphaSeed, while noting that a closely related group could also be responsible.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 2e0ffaab995f22b7684052e53b8c64b… 2024-02-07 2024-07-15
HASH 7457dc037c4a5f3713d9243a0dfb1a2c 2024-01-30 2024-07-15
HASH 88f183304b99c897aacfa321d58e1840 2024-01-30 2024-07-15
HASH 27ef6917fe32685fdf9b755eb8e97565 2024-01-30 2024-07-15
HASH 7b6d02a459fdaa4caa1a5bf741c4bd42 2024-01-30 2024-07-15
HASH c8e7b0d3b6afa22e801cacaf16b37355 2024-01-30 2024-07-15
URL http://qi.limsjo.p-e.kr/index.p… 2024-01-30 2024-07-15
URL http://ol.negapa.p-e.kr/index.p… 2024-01-30 2024-07-15
URL http://ai.negapa.p-e.kr/index.p… 2024-01-30 2024-07-15
URL http://ar.kostin.p-e.kr/index.p… 2024-01-30 2024-07-15
DOMAIN ai.negapa.p-e.kr 2024-01-30 2024-07-15
DOMAIN ar.kostin.p-e.kr 2024-01-30 2024-07-15
DOMAIN ol.negapa.p-e.kr 2024-01-30 2024-07-15
DOMAIN qi.limsjo.p-e.kr 2024-01-30 2024-07-15
HASH bc4c1c869a03045e0b594a258ec3801… 2024-02-07 2024-05-16
IPv4 216.189.159.197 2024-02-07 2024-03-25
HASH 19c2decfa7271fa30e48d4750c1d18c1 2024-01-30 2024-03-25
HASH 87429e9223d45e0359cd1c41c0301836 2024-01-30 2024-03-25
DOMAIN ai.kostin.p-e.kr 2024-01-30 2024-03-25
DOMAIN coolsystem.co.kr 2024-01-30 2024-03-25
DOMAIN ai.limsjo.p-e.kr 2024-01-30 2024-03-25
URL http://ai.limsjo.p-e.kr/index.p… 2024-01-30 2024-03-05
URL http://ai.kostin.p-e.kr/index.p… 2024-01-30 2024-03-05
URL http://coolsystem.co.kr/admin/m… 2024-01-30 2024-03-05
HASH d6abeeb469e2417bbcd3c122c06ba099 2023-11-21 2024-03-05
HASH f8ab78e1db3a3cc3793f7680a90dc1d… 2024-02-07 2024-02-08
HASH 6eebb5ed0d0b5553e40a7b1ad739589… 2024-02-07 2024-02-08
HASH a8c24a3e54a4b323973f61630c92eca… 2024-02-07 2024-02-08
HASH 955cb4f01eb18f0d259fcb962e36a33… 2024-02-07 2024-02-08
HASH 61b8fbea8c0dfa337eb7ff978124ddf… 2024-02-07 2024-02-08
HASH ff3718ae6bd59ad479e375c602a8181… 2024-02-07 2024-02-08

Related Actors

Related Reports

2024-07-19 • 53% Match
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584
Shares tags: Kimsuky, T1082, T1059.003
« Back