S2W TALON researchers uncovered Troll Stealer, a Go-based info-stealer linked to the Kimsuky group, distributed via a page that redirects to a South Korea site and uses a stolen certificate to sign both the dropper and the malware. The campaign targets South Korea’s administrative/public sectors and features a multi-stage dropper and loader, data exfiltration, and encrypted communications. #TrollStealer #Kimsuky
Keypoints
- The malware family Troll Stealer is Go-based and analyzed by S2W TALON after being found on VirusTotal as part of a Kimsuky activity.
- The dropper and the embedded malware are signed with a valid certificate from D2innovation Co.,LTD, suggesting certificate theft.
- The distribution page redirects to a South Korea site for a “security program” installation, with only 2 of 5 installers containing the malware.
- Troll Stealer can exfiltrate SSH info, FileZilla data, C: drive files, browser data, system information, and screen captures to a C2 server.
- The operation includes Stage 1 Dropper (loads a legitimate NXTPKIENTS.exe and a malicious DLL via Rundll32), Stage 2 Troll Stealer, and Stage 3 data collection and exfiltration, followed by self-deletion.
- There is a strong attribution signal to Kimsuky due to Go-based malware usage and code similarities to AppleSeed/AlphaSeed, though some TTP differences leave room for a closely associated group.
- In addition to Troll Stealer, other malware signed with the same certificate was found, implying potential future distributed threats.
MITRE Techniques
- [T1588.004] Digital Certificates – The dropper and malware are signed with a valid certificate, suggesting certificate theft. – “The dropper and internal malware were signed with a valid, legitimate “D2innovation Co.,LTD” certificate …”
- [T1218.011] Signed Binary Proxy Execution: Rundll32 – The dropper/malware loads via Rundll32.exe to execute a DLL. – “Dropper drops a malicious DLL file and loads the file via Rundll32.exe”
- [T1027.002] Software Packing – The malware is packed to hinder analysis. – “packed with VMProtect to prevent analysis.”
- [T1059.001] PowerShell – Self-deletion using PowerShell during cleanup. – “self-deletion via Powershell” and “powershell.exe -executionpolicy bypass -File [ps1 file]”
- [T1082] System Information Discovery – Troll Stealer collects system information. – “Troll Stealer steals information from the infected system, including … system information”
- [T1555.003] Credentials from Web Browsers – Troll Stealer exfiltrates browser data. – “Browser Information … cookies, history, downloads and extensions”
- [T1041] Exfiltration Over C2 Channel – Stolen data is sent to C2 server, with encryption. – “send it to the C&C server” and “encrypted config file”
- [T1071.001] Web Protocol – C2 communication occurs over HTTP. – “C2 server addresses” and data encoded for HTTP transmission
- [T1005] Data from Local System – Troll Stealer collects data from the local system. – “collects certain files and system information” and “data stolen from the infected system”
Indicators of Compromise
- [MD5] Dropper – 19c2decfa7271fa30e48d4750c1d18c1
- [SHA256] Dropper – f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3
- [MD5] Dropper – 6eebb5ed0d0b5553e40a7b1ad739589709d077aab4cbea1c64713c48ce9c96f9
- [MD5] Troll Stealer – 7457dc037c4a5f3713d9243a0dfb1a2c
- [SHA256] Troll Stealer – 61b8fbea8c0dfa337eb7ff978124ddf496d0c5f29bcb5672f3bd3d6bf832ac92
- [MD5] GoBear – 87429e9223d45e0359cd1c41c0301836
- [MD5] GoBear – a8c24a3e54a4b323973f61630c92ecaad067598ef2547350c9d108bc175774b9
- [URL] qi.limsjo.p-e.kr/index.php – distribution/indexing site
- [URL] ai.limsjo.p-e.kr/index.php – distribution/indexing site
- [URL] http://coolsystem.co.kr/admin/mail/index.php – an identified C2-related domain
- [IP] 216.189.159.197 – observed as a connection target