The Kimsuky APT (also tracked as APT43, Black Banshee, Velvet Chollima, THALLIUM, ARCHIPELAGO, Emerald Sleet) targets South Korea, Japan, and the United States for intelligence gathering across government, defense, education, energy, healthcare, and think tanks. The campaign uses a multi-stage delivery chain that drops TrollAgent, a Go-based stealer protected by VMProtect, with anti-analysis techniques and extensive data exfiltration via C2 over HTTP. #Kimsuky #TrollAgent #VMProtect #GoLang #DarkAtlas #APT43
Keypoints
- The group targets SK, JP, and the US across sectors like national defense, education, energy, government, healthcare, and think tanks for intelligence gathering.
- The TrollAgent stealer is dropped by a signed installer and a separate main installer (NXTPKIENTS.exe/NXTPKIE.exe), with a batch script to delete the installer after dropping the DLL.
- Installer signatures come from “SGA Solutions CO., Ltd.” and “D2innovation CO., LTD.”, and the initial drop tries to remove traces by deleting the installer and TEMP files.
- The DLL is written in Go, protected with VMProtect3, and unpacked via debugging techniques; it checks execution method via a ProgramData file and later launches the TrollAgent DLL using a created process.
- Anti-analysis features include deleting a scheduled task, checking for a configuration file, and using a mutex named “chrome development kit 1.0” to detect sandboxing or analysis tools.
- TrollAgent builds a configuration ([email protected]), collects MAC address, and sets two C2 URLs; it encrypts data with RSA, compresses with a custom Zip function, and then sends to C2.
- Data stolen includes browser credentials (Chrome, Edge, Firefox, Yandex, etc.), cookies, SSH sessions, FileZilla data, sticky notes, and screenshots; data is organized, encrypted, and exfiltrated over C2.
MITRE Techniques
- [T1059.003] Command and Scripting Interpreter – Windows Command Shell – Kimsuky drops PowerShell (PS) and batch (BAT) files to potentially perform tasks on the compromised machine. “Kimsuky drops PowerShell (PS) and batch (BAT) files to potentially perform tasks on the compromised machine”
- [T1027.002] Obfuscated Files or Information: Software Packing – TrollAgent DLL protected using VMProtect3, a packer that obfuscates code to hinder analysis. “DLL protected using VMProtect3, a packer that obfuscates code to hinder analysis.”
- [T1218.011] System Binary Proxy Execution: Rundll32 – Kimsuky abuses rundll32.exe, a legitimate Windows program, to execute the malicious TrollAgent DLL. “abuses rundll32.exe, a legitimate Windows program, to execute the malicious TrollAgent DLL”
- [T1036] Masquerading – Kimsuky creates files inside user directory. “Masquerading: creates files inside user directory”
- [T1070.004] Indicator Removal: File Deletion – Kimsuky checks for a file dropped by the initial infection stage. If the file doesn’t exist, it terminates itself and deletes its own files to avoid detection. “checks for a file dropped by the initial infection stage. If the file doesn’t exist, it terminates itself and deletes itself”
- [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Kimsuky targets browser databases to collect usernames and passwords stored by the user. “targets browser databases to collect usernames and passwords stored by the user”
- [T1539] Steal Web Session Cookie – Kimsuky steals cookies from web browsers to maintain or hijack active sessions. “steals cookies from web browsers to maintain or hijack active sessions”
- [T1082] System Information Discovery – Kimsuky uses commands such as: systeminfo, hotfixes to gather information about the infected machine. “uses commands such as: systeminfo, hotfixes to gather information about the infected machine”
- [T1057] Process Discovery – Kimsuky uses the tasklist and wmic process get Capture, CommandLine to gather the processes running on the system. “tasklist and wmic process get Capture, CommandLine”
- [T1087.001] Account Discovery: Local Accounts – Kimsuky uses net user to find accounts on the system. “net user to find accounts on the system”
- [T1016] Network Information Gathering – Kimsuky has used ipconfig/all, arp -a and route print to gather network configuration information. “ipconfig/all, arp -a and route print to gather network configuration information”
- [T1083] File and Directory Discovery – Kimsuky has used commands such as dir “%programdata%MicrosoftWindowsStart MenuPrograms” and dir /s “%userprofile%desktop” to enumerate all files and directories on an infected system. “dir “%programdata%MicrosoftWindowsStart MenuPrograms””
- [T1518.001] Security Software Discovery – Kimsuky checks for the presence of antivirus software with powershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct. “powershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct”
- [T1005] Data from Local System – Kimsuky might collect SSH keys and FileZilla FTP sessions stored on the compromised system. “Data from Local System: SSH keys and FileZilla FTP sessions”
- [T1113] Screen Capture – Kimsuky uses kbinani/screenshot Go library to take screenshot of the victim machine. “Screen Capture: kbinani/screenshot Go library”
- [T1071.001] Application Layer Protocol: Web Protocols – Kimsuky uses HTTP GET and POST requests for C2. “Application Layer Protocol: Web Protocols – HTTP GET and POST requests for C2”
- [T1041] Exfiltration Over C2 Channel – Kimsuky exfiltrates data over its C2 channel. “Exfiltration over C2 channel”
Indicators of Compromise
- [MD5] Initial installer – 9e75705b4930f50502bcbd740fc3ece1, 27ef6917fe32685fdf9b755eb8e97565
- [MD5] TrollAgent DLL – 7457dc037c4a5f3713d9243a0dfb1a2c, c8e7b0d3b6afa22e801cacaf16b37355
- [URL] C2 Server – hxxp://ar.kostin.p-e[.]kr/index.php, hxxp://dl.netup.p-e[.]kr/index.php and 4 more URLs
- [File Name] NXTPKIE.exe – main installer
- [File Name] [4].tmp.bat – TEMP directory batch file
- [File Name] win-[6].db – Dropped DB file
Read more: https://darkatlas.io/blog/kimsuky-apt-the-trollagent-stealer-analysis