Malware masquerading as legitimate security installers was observed on a domestic construction association’s login portal, where users are prompted to install security software and may inadvertently download malicious payloads. The delivered malware includes TrollAgent infostealer and Go/C++ backdoors, is VMProtect-packed and signed with a D2Innovation certificate to evade detection, and has led to at least 3,000 infections by exploiting the login flow to install malicious components. #TrollAgent #TrustPKI #NX_PRNMAN #D2Innovation #Kimsuky
Keypoints
- Malicious installers are distributed via a domestic website’s login flow, prompting users to install security software that contains malware.
- The compromised installers include NX_PRNMAN and TrustPKI variants, with distribution tied to specific time windows and over 3,000 confirmed infections.
- Malicious files are VMProtect-packed and signed with a legitimate certificate from D2Innovation to evade detection at download and execution.
- The malware creates components under %APPDATA% and executes via rundll32.exe, forming a plant in the system without obvious user awareness.
- TrollAgent infostealer extracts extensive browser data (credentials, cookies, bookmarks, history, extensions) from Chrome and Firefox, in addition to system information.
- Backdoor families (Go/C++, Endoor) are deployed alongside TrollAgent, with C2 activity and references to historically similar campaigns (AppleSeed/Kimsuky themes).
MITRE Techniques
- [T1218.011] Rundll32 – Execution through rundll32.exe after the malicious installer runs, enabling execution of the dropped payload. ‘In addition to normal installers, the malware is created in the “%APPDATA%” path and executed by the rundll32.exe process.’
- [T1027] Obfuscated/Compressed Files and Information – The malicious installers are packed with VMProtect to evade detection. ‘악성설치 파일은 VMProtect로 패킹되어 있으며…’
- [T1036] Masquerading – The deployment is framed as legitimate security software and distributed via a trusted-looking installer. ‘설치하도록 유도되는 프로그램들 중 악성코드가 포함된 설치 파일이…’
- [T1555.003] Credentials from Web Browsers – TrollAgent steals browser-stored credentials and related data from Chrome and Firefox. ‘웹 브라우저 관련 다수의 정보들을 탈취하는 기능을 제공한다.’
- [T1082] System Information Discovery – TrollAgent collects system information in addition to browser data. ‘시스템 정보 외에도…”
- [T1071.001] Web Protocols – The backdoors/C2 use HTTP(S) endpoints to receive commands from attacker-controlled servers. ‘C&C 서버로부터 공격자의 명령을 전달받아…’
Example C2 domains include hxxp://sa.netup.p-e[.]kr/index.php, hxxp://dl.netup.p-e[.]kr/index.php
Indicators of Compromise
- [MD5] Malicious installer samples – 9e75705b4930f50502bcbd740fc3ece1, 27ef6917fe32685fdf9b755eb8e97565, and 24 more hashes (TrustPKI/NX_PRNMAN variants)
- [Domain] Command-and-Control domains – sa.netup.p-e[.]kr/index.php, dl.netup.p-e[.]kr/index.php, ai.kimyy.p-e[.]kr/index.php, and 17 more domains
Read more: https://asec.ahnlab.com/ko/61666/