TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)

2024-02-23 Ahnlab

https://asec.ahnlab.com/en/61934/

Thumbnail for TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)

AhnLab reports that Kimsuky compromised the security program installation flow on a Korean construction related association website, causing users who tried to log in to install malware with the required security software. The malicious NX_PRNMAN installer, and earlier TrustPKI variants from December 2023, were packed with VMProtect, signed with a stolen D2Innovation certificate, and placed GoLang malware under %APPDATA% for execution through rundll32.exe. AhnLab says more than 3,000 infections were observed and identifies TrollAgent as an infostealer that collects system data, browser credentials, cookies, bookmarks, history, and extensions. Some installers also deployed GoLang or C++ backdoors with C2 command patterns similar to earlier Kimsuky AppleSeed and fake import declaration campaigns.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 9e75705b4930f50502bcbd740fc3ece1 2024-02-16 2024-07-15
HASH a67cf9add2905c11f5c466bc01d554b0 2024-02-16 2024-07-15
URL http://sa.netup.p-e.kr/index.php 2024-02-16 2024-07-15
URL http://dl.netup.p-e.kr/index.php 2024-02-16 2024-07-15
DOMAIN sa.netup.p-e.kr 2024-02-16 2024-07-15
DOMAIN dl.netup.p-e.kr 2024-02-16 2024-07-15
HASH 7457dc037c4a5f3713d9243a0dfb1a2c 2024-01-30 2024-07-15
HASH 88f183304b99c897aacfa321d58e1840 2024-01-30 2024-07-15
HASH 27ef6917fe32685fdf9b755eb8e97565 2024-01-30 2024-07-15
HASH 7b6d02a459fdaa4caa1a5bf741c4bd42 2024-01-30 2024-07-15
HASH c8e7b0d3b6afa22e801cacaf16b37355 2024-01-30 2024-07-15
URL http://qi.limsjo.p-e.kr/index.p… 2024-01-30 2024-07-15
URL http://ol.negapa.p-e.kr/index.p… 2024-01-30 2024-07-15
URL http://ai.negapa.p-e.kr/index.p… 2024-01-30 2024-07-15
URL http://ar.kostin.p-e.kr/index.p… 2024-01-30 2024-07-15
DOMAIN ai.negapa.p-e.kr 2024-01-30 2024-07-15
DOMAIN ar.kostin.p-e.kr 2024-01-30 2024-07-15
DOMAIN ol.negapa.p-e.kr 2024-01-30 2024-07-15
DOMAIN qi.limsjo.p-e.kr 2024-01-30 2024-07-15
HASH 2b678c0f59924ca90a753daa881e9fd3 2024-02-16 2024-03-25
HASH e4a6d47e9e60e4c858c1314d263aa317 2024-02-16 2024-03-25
HASH 4222492e069ac78a55d3451f4b9b9fca 2024-02-16 2024-03-25
HASH 4168ff8b0a3e2f7e9c96afb653d42a01 2024-02-16 2024-03-25
HASH 013c4ee2b32511b11ee9540bb0fdb9d1 2024-02-16 2024-03-25
HASH 9360a895837177d8a23b2e3f79508059 2024-02-16 2024-03-25
HASH 42ea65fda0f92bbeca5f4535155125c7 2024-02-16 2024-03-25
HASH b532f3dcc788896c4844f36eb6cee3d1 2024-02-16 2024-03-25
HASH 62fba369711087ea37ef0b0ab62f3372 2024-02-16 2024-03-25
HASH d67abe980a397a94e1715df6e64eedc8 2024-02-16 2024-03-25
HASH 8d4af59eebdcda10f3c88049bb097a3a 2024-02-16 2024-03-25
HASH b97abf7b17aeb4fa661594a4a1e5c77f 2024-02-16 2024-03-25
HASH 2aaa3f1859102aab35519f0d4c1585dd 2024-02-16 2024-03-25
HASH 035cf750c67de0ab2e6228409ac85ea3 2024-02-16 2024-03-25
HASH dc636da03e807258d2a10825780b4639 2024-02-16 2024-03-25
HASH 6097d030fe6f05ec0249e4d87b6be4a6 2024-02-16 2024-03-25
DOMAIN pe.daysol.p-e.kr 2024-02-16 2024-03-25
DOMAIN ce.aerosp.p-e.kr 2024-02-16 2024-03-25
DOMAIN ca.bananat.p-e.kr 2024-02-16 2024-03-25
DOMAIN viewer.appofficer.kro.kr 2024-02-16 2024-03-25
DOMAIN pi.selecto.p-e.kr 2024-02-16 2024-03-25
DOMAIN ai.selecto.p-e.kr 2024-02-16 2024-03-25
DOMAIN ai.ssungmin.p-e.kr 2024-02-16 2024-03-25
DOMAIN ai.daysol.p-e.kr 2024-02-16 2024-03-25
DOMAIN ai.bananat.p-e.kr 2024-02-16 2024-03-25
DOMAIN ai.kimyy.p-e.kr 2024-02-16 2024-03-25
DOMAIN li.ssungmin.p-e.kr 2024-02-16 2024-03-25
DOMAIN ai.aerosp.p-e.kr 2024-02-16 2024-03-25
DOMAIN ve.kimyy.p-e.kr 2024-02-16 2024-03-25
DOMAIN qa.jaychoi.p-e.kr 2024-02-16 2024-03-25
HASH 19c2decfa7271fa30e48d4750c1d18c1 2024-01-30 2024-03-25
HASH 87429e9223d45e0359cd1c41c0301836 2024-01-30 2024-03-25
DOMAIN ai.kostin.p-e.kr 2024-01-30 2024-03-25
DOMAIN coolsystem.co.kr 2024-01-30 2024-03-25
DOMAIN ai.limsjo.p-e.kr 2024-01-30 2024-03-25
URL http://ai.limsjo.p-e.kr/index.p… 2024-01-30 2024-03-05
URL http://ai.kostin.p-e.kr/index.p… 2024-01-30 2024-03-05
URL http://coolsystem.co.kr/admin/m… 2024-01-30 2024-03-05
URL http://pe.daysol.p-e.kr/index.p… 2024-02-16 2024-02-23
URL http://pi.selecto.p-e.kr/index.… 2024-02-16 2024-02-23
URL http://ai.aerosp.p-e.kr/index.p… 2024-02-16 2024-02-23
URL http://qa.jaychoi.p-e.kr/index.… 2024-02-16 2024-02-23
URL http://ai.ssungmin.p-e.kr/index… 2024-02-16 2024-02-23
URL http://ai.selecto.p-e.kr/index.… 2024-02-16 2024-02-23
URL http://ca.bananat.p-e.kr/index.… 2024-02-16 2024-02-23
URL http://ce.aerosp.p-e.kr/index.p… 2024-02-16 2024-02-23
URL http://ai.bananat.p-e.kr/index.… 2024-02-16 2024-02-23
URL http://ve.kimyy.p-e.kr/index.php 2024-02-16 2024-02-23
URL http://li.ssungmin.p-e.kr/index… 2024-02-16 2024-02-23
URL http://ai.kimyy.p-e.kr/index.php 2024-02-16 2024-02-23
URL http://ai.daysol.p-e.kr/index.p… 2024-02-16 2024-02-23
URL http://viewer.appofficer.kro.kr… 2024-02-16 2024-02-23

Related Actors

Related Reports

« Back