{
	"id": "735c4008-cb05-45f6-b07a-43711fd1a15b",
	"created_at": "2026-05-01T03:10:08.704618Z",
	"updated_at": "2026-05-01T03:10:50.737657Z",
	"deleted_at": null,
	"sha1_hash": "e6fc7f3e724c41748dc920901b5766adc9b47fc7",
	"title": "Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer…",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2229712,
	"plain_text": "Kimsuky disguised as a Korean company signed with a valid certificate\r\nto distribute Troll Stealer…\r\nBy S2W\r\nPublished: 2024-02-08 · Archived: 2026-05-01 02:18:30 UTC\r\n14 min read\r\nFeb 7, 2024\r\nAuthor: Jiho Kim \u0026 Sebin Lee | BLKSMTH\r\nLast Modified : Feb 7, 2024\r\nPress enter or click to view image in full size\r\nPhoto by Mark König on Unsplash\r\nExecutive Summary\r\nS2W threat research and intelligence center Talon has hunted for and analyzed a sample of what is believed to be a\r\nnew malware from the Kimsuky group on VirusTotal.\r\n— The malware was found to be distributed from a page that redirects users to a specific site located in South Korea to\r\ndownload a security program.\r\n— Unlike typical supply chain attacks, only 2 of the 5 installers distributed by the site were modified to include the\r\nmalware.\r\nThe hunted malware is an Info-stealer malware written in Go language that steals information from the infected\r\nsystem, which is dropped and executed from a Dropper disguised as a security program installation file (TrustPKI,\r\nNX_PRNMAN) from SGA Solutions.\r\nThe dropper runs as a legitimate installer alongside the malware, and both the dropper and malware are signed with a\r\nvalid, legitimate “D2innovation Co.,LTD” certificate, suggesting that the company’s certificate was actually\r\nstolen.\r\nS2W Talon has named the malware “Troll Stealer” because it contains the pathname\r\n“D:/~/repo/golang/src/root.go/s/troll/agent” within the malware.\r\n(Behaviors) Troll Stealer can steal information from the infected system like SSH, FileZilla, C drive files/directories,\r\nbrowser, system information, screen captures and send it to the C\u0026C server.\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 1 of 16\n\n(Attribution) Based on the Kimsuky group’s recent active use of Go-based malware, and the fact that Troll Stealer\r\ncontains a lot of code similar to the AppleSeed and AlphaSeed malware associated with the Kimsuky group, we\r\nspeculate that the Kimsuky group is behind the distribution of this malware.\r\n— However, there is also a possibility that another group closely associated with the Kimsuky group is behind the malware,\r\nas we have identified some differences in the TTPs from those previously observed from the Kimsuky group.\r\n(Target) Troll Stealer includes the ability to steal the GPKI folder on infected systems, which suggests that the\r\ncampaign may have been targeting devices within administrative and public organizations in South Korea.\r\n— However, there are some differences in the TTP from the Kimsuky group’s previous TTPs, suggesting that another group\r\nclosely associated with the Kimsuky group may be behind this campaign.\r\nIn addition to Troll Stealer, additional malware signed with the same legitimate certificate was found, so\r\nmalware signed with that certificate may be distributed in the future.\r\nIntroduction\r\nOn January 10, 2024, a Go language-based information-stealing malware was discovered and we conducted a detailed\r\nanalysis. The malware was distributed from a security program download page that was redirected when accessing a specific\r\nwebsite in Korea and disguised as a security program installation file (TrustPKI, NX_PRNMAN) of SGA Solutions.\r\nPress enter or click to view image in full size\r\nFigure 1. Example of a security program download page when accessing a specific website in South Korea\r\nThe malware was identified as a dropper type that drops and executes both a legitimate installer and malware when\r\nexecuted, and both the dropper and internal malware were signed with a valid “D2innovation Co.,LTD” certificate instead\r\nof the original certificate “SGA Solutions”.\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 2 of 16\n\nFigure 2. Valid D2innovation Co.,LTD certificate identified by the Dropper malware.\r\nThe DLL file dropped from the dropper file is a Go language-based information-stealing malware packed with VMProtect\r\nand contains the path “D:/~/repo/golang/src/root.go/s/troll/agent” inside. It collects certain files and system information on\r\nthe infected system and leaks the collected information to the C\u0026C server. Our analysis revealed that it borrows some code\r\nfrom open-source stealers.\r\nFigure 3. Paths present in the Troll Stealer.\r\nTalon, S2W’s threat research and intelligence center, believes that the Kimsuky group is behind the malware because it has\r\nsimilarities to existing malware from the Kimsuky group, such as nearly identical commands for collecting system\r\ninformation in the AppleSeed malware and the same RC4 + RSA combination for file encryption used by the AlphaSeed\r\nmalware.\r\nTalon has named the malware “Troll Stealer” because it uses the pathname “D:/~/repo/golang/src/root.go/s/troll/agent”.\r\nDetailed Analysis\r\nSample Information\r\nMD5: 7b6d02a459fdaa4caa1a5bf741c4bd42\r\nSHA256: f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3\r\nThe malware is disguised as the TrustPKI installer for the SGA solution, and when executed, it steals information from the\r\ninfected system and sends it to the C\u0026C server.\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 3 of 16\n\n1. Dropper drops a malicious DLL file and loads the file via Rundll32.exe\r\n2. It executes the NXTPKIENTS.exe file, which is a legitimate installer\r\n3. Troll Stealer steals information from the infected system through malicious behavior\r\n4. Then, it sends stolen data to the C\u0026C server\r\n5. Also, it performs self-deletion via Powershell\r\nPress enter or click to view image in full size\r\nFigure 4. Malware execution flow\r\nStage1. Dropper\r\n1. Mutex \u0026 Self-deletion\r\nWhen executed, it creates a mutex to prevent duplicate execution and subsequently creates and executes a BAT script file in\r\nthe %Temp% subpath for self-deletion.\r\nMutex name: windows update {2024–1020–02A}\r\nFile path: %Temp%\\\\[A-Z0–9]{4}.tmp.bat\r\nBAT file contents\r\n:goto_redel\r\nrd /s /q [File path]\r\ndel [File path]\r\nif exist [File path] goto goto_redel\r\ndel %Temp%\\\\[A-Z0-9]{4}.tmp.bat\r\n2. Execute Normal Installer (NXTPKIENTS.exe)\r\nThen drop and run a legitimate installation file from SGA Solutions in the Desktop path. The installation file is verified to be\r\na legitimate file signed with the “SGA Solutions Co.,Ltd”. certificate.\r\nFile path: %USERPROFILE%\\Desktop\\NXTPKIENTS.exe\r\n3. Drop \u0026 Load Malicious DLL\r\nIn addition to the normal installation files, it also drops Troll Stealer and a file for checking for infection, and the paths to\r\neach of these files are shown below. The folder and file names generated by different Dropper malware samples vary, but the\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 4 of 16\n\nfollowing paths and names were found in the samples we analyzed.\r\nPress enter or click to view image in full size\r\nTable 2. Paths where information-stealing malware is dropped and filenames for infection history checks\r\nTroll Stealer is then executed via the rundll32.exe process, which calls the same Export function as the filename used for the\r\ninfection check. The malware was packed with VMProtect to prevent analysis.\r\nCommand: C:\\Windows\\system32\\rundll32.exe %AppData%\\[DLL Path] [Export]\r\nStage2. Troll Stealer\r\nFilename: C:\\Users\\admin\\AppData\\Roaming\\Hancom\\hc-[a-z0–9]{8}.png\r\nMD5: 88f183304b99c897aacfa321d58e1840\r\nSHA256: 61b8fbea8c0dfa337eb7ff978124ddf496d0c5f29bcb5672f3bd3d6bf832ac92\r\nType: DLL\r\n1. Initial behavior\r\nDuring its initial execution, it deletes the “ChromeUpdateTaskMachineUAC” scheduler. However, given that Troll Stealer\r\nand its parent Dropper do not have the feature to register a scheduler with the above name, it is likely that it did not\r\naccidentally remove a feature that was used in the past.\r\nCommand: schtasks /delete /f /tn “ChromeUpdateTaskMachineUAC”\r\nThe malware then checks for the existence of the file to check the infection dropped by the dropper malware to determine if\r\nit was executed via a dropper. It performs malicious behavior only if the file exists.\r\nFile path: %ProgramData%\\limsjo.a\r\nStealer itself registers mutexes to prevent malware duplicate execution.\r\nMutex name: chrome development kit 1.0\r\n2. Set configuration data\r\nIt collects the MAC address and directory path of the infected system and creates a temporary file with configured data for\r\nlater malicious behavior. Configuration contains information such as C\u0026C server addresses.\r\nConfiguration path: %UserProfile%\\.tmp\\{Random Number}.org\r\nC\u0026C server: hxxp[:]//qi.limsjo.p-e[.]kr/index.php\r\nC\u0026C server: hxxp[:]//ai.limsjo.p-e[.]kr/index.php\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 5 of 16\n\nTable 2. Data in configuration\r\nExamples of configuration data\r\n{\r\n \"ServerID\": 0,\r\n \"ObjectID\": 0,\r\n \"GtType\": 2111,\r\n \"GtID\": [sha1_hash(little_endian(mac_addr[:8]))],\r\n \"GtVer\": \"gt@2.0\",\r\n \"Interval\": 0,\r\n \"LocalPath\": \"%AppData%\\\\local\\\\\",\r\n \"MacAddr\": [MacAddr],\r\n \"ProxyNum\": 5,\r\n \"ProxyUrl\": [\r\n \"\",\r\n \"\",\r\n \"\",\r\n \"http://qi.limsjo.p-e.kr/index.php\",\r\n \"http://ai.limsjo.p-e.kr/index.php\"\r\n ]\r\n}\r\nThe Config file is then encrypted, sent to the C\u0026C server, and deleted.\r\nEncrypted config file path: %AppData%\\local\\gcfg@{YYMMDD}(HH.MM.SS-000).gte1\r\n3. Data collection\r\nTroll Stealer steals various information from the infected system, encrypts it, and sends it to the C\u0026C server. The malware\r\nsteals the following information\r\nPress enter or click to view image in full size\r\nTable 3. Target data and encrypted filename\r\n3.1. SSH\r\nIt exfiltrates the infected system’s SSH information. It compresses the system’s .ssh directory and creates a file. Afterward, it\r\nencrypts the compressed file, creates a file in a different path, and sends it to the C\u0026C server.\r\n.SSH directory save path: %USERPROFILE%\\.ssh\r\nEncrypted file path: %AppData%\\local\\tsd@{YYMMDD}(HH.MM.SS-000).gte1\r\n3.2. FileZilla\r\nIt exfiltrates information from FileZilla software present on the infected system. It compresses the filezilla directory and\r\ncreates a file. The compressed file is then encrypted and created as a file in a different path and sent to the C\u0026C server.\r\nFileZilla directory save Path: %AppData%\\filezilla\r\nEncrypted file path: %AppData%\\local\\tfd@{YYMMDD}(HH.MM.SS-000).gte1\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 6 of 16\n\n3.3. Microsoft Sticky Note\r\nIt exfiltrates information from Microsoft Sticky Note present on the infected system. It compresses the localstate directory\r\nand creates a file. The compressed file is then encrypted and created as a file in a different path and sent to the C\u0026C server.\r\nMicrosoft Sticky Note save path:\r\n%USERPROFILE%\\AppData\\Local\\packages\\microsoft.microsoftstickynotes_8wekyb3d8bbwe\\localstate\r\nEncrypted file path: %AppData%\\local\\tnd@{YYMMDD}(HH.MM.SS-000).gte1\r\n3.4. “GPKI” directory in C Drive\r\nTroll Stealer steals data from a specific folder on the C drive of an infected system. The attacker collects the names of files\r\nand folders on the C drive and appends additional strings to create a new string, as shown below. It then generates a SHA512\r\nhash of that string, and if it is the same as the hardcoded SHA512 hash in the malware, it encrypts the file and sends it to the\r\nC\u0026C server. Analyzing the hardcoded SHA512 hash revealed that the attacker attempted to steal the GPKI folder on the C\r\ndrive.\r\nString format: “aaxxyyzz” + {File name} + “zzyyxxaa”\r\n==\u003e Target string: aaxxyyzzgpkizzyyxxaa\r\nHardcoded SHA512 hash in Troll Stealer:\r\n17ccb0832c3382b5f9e86236e035d899a351c98f3871080c138d4494218cbbc2b6f9dc43705ed97e8b0b09f25752302094e0d297151f67b223\r\nEncrypted file path: %AppData%\\local\\tcd@{YYMMDD}(HH.MM.SS-000).gte1\r\nGPKI, also known as an administrative electronic signature certificate, is an authorized certificate used to verify the\r\nauthenticity of administrative electronic signatures, which is used by governments such as administrative and public\r\ninstitutions in South Korea. In other words, it is not used on ordinary computers but is usually installed on computers used\r\nfor public affairs. In this regard, it is believed that this campaign is aimed at targeting PCs installed in public.\r\n3.5. Browser Information\r\nIt steals browser information from the infected system. The malware is believed to have utilized HackBrowserData, an open-source program written in Go language, to steal browser information. It targets Chromium-based browsers and Firefox\r\nbrowsers on infected systems and steals various information such as cookies, history, downloads, and extensions and saves\r\nthem as JSON files in the browser directory. After compressing the browser directory, it performs encryption and sends it to\r\nthe C\u0026C server.\r\nBrowser save path: %AppData%\\local\\browser\r\nEncrypted file path: %AppData%\\local\\tbd@{YYMMDD}(HH.MM.SS-000).gte1\r\n3.6. System Information\r\nIt steals system information from an infected system. It collects infected system information through CMD commands,\r\nencrypts it, and creates a file. The encrypted file is sent to the C\u0026C server.\r\nEncrypted file path: %AppData%\\local\\ccmd@{YYMMDD}(HH.MM.SS-000).gte1\r\nPress enter or click to view image in full size\r\nTable 4. List of system information collected\r\nCommands to collect system information\r\nsysteminfo \u0026\r\nnet user \u0026\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 7 of 16\n\nquery user \u0026\r\npowershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct \u0026\r\nwmic qfe \u0026\r\nwmic startup get \u0026\r\nwmic logicaldisk get \u0026\r\nipconfig /all \u0026\r\narp -a \u0026\r\nroute print \u0026\r\ntasklist \u0026\r\nwmic process get Caption, Commandline \u0026\r\ndir \"%programfiles%\" \u0026\r\ndir \"%programfiles% (x86)\" \u0026\r\ndir \"%programdata%\\Microsoft\\Windows\\Start Menu\\Programs\" \u0026\r\ndir \"%appdata%\\Microsoft\\Windows\\Recent\" \u0026\r\ndir /s \"%userprofile%\\desktop\" \u0026\r\ndir /s \"%userprofile%\\downloads\" \u0026\r\ndir /s \"%userprofile%\\documents\"\r\n3.7. Screen Capture\r\nCapture the current desktop screen of the infected machine and save it to a file. Use the screenshot package of “kbinani”\r\npublished on Github to capture the desktop screen. Encrypt the captured file and create a file, then send the encrypted file to\r\nthe C\u0026C server.\r\nEncrypted file path: %AppData%\\local\\ssht@{YYMMDD}(HH.MM.SS-000).gte1\r\n4. File Encryption\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nBefore sending the stolen data to the C\u0026C server, it encrypts the data using a combination of RC4 and RSA-4096\r\nalgorithms. The malware parses the RSA public key from the hardcoded DER of PKCS#1. It then randomly generates an\r\nRC4 key value and uses it to encrypt the stolen data. The RC4 encryption key is encrypted with the RSA public key.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 8 of 16\n\nFigure 6. Encryption flow before file transfer\r\nHardcoded PKCS#1 DER\r\n3082020a0282020100c3fc0e50f4dcafec48ee42362d70c8f6b3153e91566b15a9540d0ca9f3e81846093d8752940b414043c0eaa752dd\r\n5. C\u0026C Communication\r\nThe malware creates a 60-byte structure and organizes 12 fields to exfiltrate the Config data and data stolen from the victim\r\nsystem. The value of each field is set differently depending on the purpose of the communication and the type of data to be\r\ntransmitted, and the payload is located after the size_payload field. The configured data is XORed and Base64 encoded and\r\nsent to the C\u0026C server through the HTTP protocol. The common structure for communication is shown in Figure 7, and the\r\nmeaning of each field is described in Table 5.\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 9 of 16\n\nPress enter or click to view image in full size\r\nFigure 7. The communication data structures used by Troll Stealer.\r\nPress enter or click to view image in full size\r\nTable 5. Fields in a data structure\r\nAfter organizing the data to be sent into a structure, it performs an XOR operation followed by Base64 encoding using a\r\nhardcoded 4-byte key in the binary. The encoded result is sent to the C\u0026C server in the format “a=[Encoded_Data]”.\r\nXOR Key: DD 33 99 CC\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 10 of 16\n\nFigure 8. Data computation process\r\nThe final stolen data is sent as follows:\r\nSteal data =\u003e Encrypt file(RC4+RSA) =\u003e Encode structure used for communication(XOR+Base64) =\u003e Pass as a\r\nparameter\r\nTroll Stealer sends the “init” string in the payload to the C\u0026C server only the first time it communicates, and only when it\r\nreceives the “ok” string in response does it continue to leak the stolen data.\r\nIn this case, there are a total of four communications per exfiltration of configuration or stolen items: the first\r\ncommunication is to perform the ping function, and the second and third communications are sent with the same data in the\r\npayload. However, we can see that the value of the status_type field is configured differently. Finally, the fourth\r\ncommunication includes the stolen filename in the payload and sets the value of the send_type field to 5. Once the file is\r\nsuccessfully sent to the C\u0026C server, delete the encrypted file in the %appdata%\\local\\ path.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 11 of 16\n\nFigure 9. Communication flow for Troll Stealer\r\n6. Self-deletion\r\nAfter executing the malware, it creates a PS1 file in the .tmp directory and runs it via the powershell.exe, which deletes Troll\r\nStealer itself.\r\n.PS1 save path: %USERPROFILE%\\.tmp\\{Random}.ps1\r\nCommand: powershell.exe -executionpolicy bypass -File [ps1 file]\r\n.PS1 file contents\r\n$target = {Stealer Path}\r\nfor ($i = 0; $i -lt 50; $i++)\r\n{\r\n Remove-Item $target -Force\r\n Remove-Item $PSCommandPath -Force\r\n if (!(Test-Path $target) -and !(Test-Path $PSCommandPath))\r\n {\r\n break\r\n }\r\n Start-Sleep -Seconds 2\r\n}\r\nAttribution\r\nS2W speculates that the Kimsuky group may be behind the distribution of this malware based on the group’s recent active\r\nuse of Go-based malware and the similarity of the code to existing AppleSeed and AlphaSeed malware.\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 12 of 16\n\nCorrelation with AppleSeed/AlphaSeed\r\nThe path that the dropper malware drops Troll Stealer and the filename format it creates appear similar to the path and\r\nfilename of AppleSeed, which was disclosed by ASEC.\r\nPress enter or click to view image in full size\r\nTable 8. AppleSeed vs. Troll Stealer path and filename comparison\r\nIn addition, the hardcoded commands it executes to collect infected system information are identical to those found in the\r\nAppleSeed malware discovered in May 2023. However, in the case of the recently discovered malware, two additional\r\ncommands were added to obtain information about the user’s accounts and sessions.\r\nnet user\r\nquery user\r\nPress enter or click to view image in full size\r\nTable 9. Comparison of commands to steal information\r\nIn addition, the same type of mutexes identified in the Troll Stealer Dropper malware were found in both AppleSeed\r\nDropper and Meterpreter, which have been used by the Kimsuky group in the past.\r\nPress enter or click to view image in full size\r\nTable 10. Mutexes used in the Kimsuky group’s malware\r\nTroll Stealer then compresses the folder where the stolen files are stored and encrypts them using RSA and RC4 algorithms.\r\nWe found that the combniation and the encryption execution flow are the same as those used by AlphaSeed.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 13 of 16\n\nFigure 10. The encryption/decryption method used by AlphaSeed and Troll Stealer.\r\nFurthermore, the Go language library used to capture the victim system’s desktop screen was identified as the same kbinani\r\npackage also used by AlphaSeed.\r\nhttps://github.com/kbinani/screenshot\r\nAnother golang-based backdoor (GoBear)\r\nIn addition to the Troll Stealer, another Go language-based backdoor malware signed with a legitimate “D2innovation\r\nCo.,LTD certificate” was also found.\r\nMD5: 87429e9223d45e0359cd1c41c0301836\r\nC\u0026C: hxxp[:]//coolsystem[.]co.kr/admin/mail/index.php\r\nReference: Kimsuky (APT-Q-2) secret theft operation disguised as software installation package\r\nThe malware performs malicious behaviors based on the commands it receives from the C\u0026C server, and the strings\r\ncontained in the names of the functions it calls have been found to overlap with the commands used by BetaSeed, a C++-\r\nbased backdoor malware used by the Kimsuky group. The DLL version of BetaSeed also steals information from the victim\r\nsystem and performs additional malicious actions based on the commands it receives from the C\u0026C server.\r\nMD5: d6abeeb469e2417bbcd3c122c06ba099\r\nReference: 수입 신고서를 위장하여 국내 연구 기관을 노리는 Kimsuky\r\nHowever, the 2 malware were separated into different types because they were written in different languages and there were\r\nno similarities in the code other than the strings in the function names.\r\nPress enter or click to view image in full size\r\nTable 11. Correlations between backdoor malware used by the Kimsuky group\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 14 of 16\n\nIt is noteworthy that GoBear adds SOCKS5 proxy functionality, which was not previously supported by the Kimsuky\r\ngroup’s backdoor malware. Furthermore, the fact that the mutex used in the previous AppleSeed malware was reused after\r\ntwo years without being updated suggests that the author of the Troll Stealer malware based on AppleSeed may have made a\r\nmistake.\r\nConclusion\r\nS2W threat research and intelligence center Talon has hunted for and analyzed a sample of a new malware from the\r\nKimsuky group, and named Troll Stealer.\r\nTroll Stealer is written in Go and identified as an Info-stealer malware that steals information from infected systems\r\n(SSH, FileZilla, C drive files/directories, browsers, system information, screen captures).\r\n—Troll Stealer is distributed by dropping and executing from a Dropper disguised as SGA Solutions’ Trusted PKI\r\ninstaller.\r\nThe dropper runs as a legitimate installer alongside the malware, and both the dropper and malware are signed with a\r\nvalid, legitimate “D2innovation Co.,LTD” certificate, suggesting that the company’s certificate was actually\r\nstolen.\r\nTroll Stealer includes the ability to steal the GPKI folder on infected systems, which suggests that the campaign may\r\nhave been targeting devices within administrative and public organizations in South Korea\r\n— The Kimsuky group has no known history of hijacking GPKI folders or utilizing the SOCKS5 protocol in the past,\r\nso it is possible that they have set new targets, or that another group with access to the source code for\r\nAppleSeed/AlphaSeed created Troll Stealer and GoBear.\r\nS2W believes that the Kimsuky group is likely behind the distribution of this malware based on the group’s active\r\nuse of Go-based malware and the many similarities found between Troll Stealer and the existing AppleSeed and\r\nAlphaSeed malware.\r\nIn addition to Troll Stealer, additional malware signed with the same legitimate certificate was found, so it is possible\r\nthat malware signed with that certificate may be distributed in the future.\r\nMITRE ATT\u0026CK\r\nResource Development\r\n(T1588.004 ) Digital Certificates\r\nExecution\r\n(T1204.002) Malicious File\r\n(T1059.001) PowerShell\r\n(T1059.003) Windows Command Shell\r\nDefense Evasion\r\n(T1027.002) Software Packing\r\nCredential Access\r\n(T1555.003) Credentials from Web Browsers\r\n(T1539) Steal Web Session Cookie\r\nDiscovery\r\n(T1057) Process Discovery\r\n(T1087.001) Local Account\r\n(T1083) File and Directory Discovery\r\n(T1518.001) Security Software Discovery\r\n(T1082) System Information Discovery\r\n(T1016) System Network Configuration Discovery\r\nCollection\r\n(T1005) Data from Local System\r\n(T1113) Screen Capture\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 15 of 16\n\n(T1560) Archive Collected Data\r\nCommand and Control\r\n(T1071.001) Web Protocol\r\nExfiltration\r\n(T1041) Exfiltration Over C2 Channel\r\nAppendix A. IoCs\r\nFile hash\r\nDropper\r\n19c2decfa7271fa30e48d4750c1d18c1\r\n6eebb5ed0d0b5553e40a7b1ad739589709d077aab4cbea1c64713c48ce9c96f9\r\n7b6d02a459fdaa4caa1a5bf741c4bd42\r\nf8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3\r\n27ef6917fe32685fdf9b755eb8e97565\r\n2e0ffaab995f22b7684052e53b8c64b9283b5e81503b88664785fe6d6569a55e\r\nBackdoor (GoBear)\r\n87429e9223d45e0359cd1c41c0301836\r\na8c24a3e54a4b323973f61630c92ecaad067598ef2547350c9d108bc175774b9\r\nTroll Stealer\r\n7457dc037c4a5f3713d9243a0dfb1a2c\r\nff3718ae6bd59ad479e375c602a81811718dfb2669c2d1de497f02baf7b4adca\r\nc8e7b0d3b6afa22e801cacaf16b37355\r\n955cb4f01eb18f0d259fcb962e36a339e8fe082963dfd9f72d3851210f7d2d3b\r\n88f183304b99c897aacfa321d58e1840\r\nbc4c1c869a03045e0b594a258ec3801369b0dcabac193e90f0a684900e9a582d\r\nNetwork\r\nhxxp[:]//ai.kostin.p-e[.]kr/index.php\r\nhxxp[:]//ar.kostin.p-e[.]kr/index.php\r\nhxxp[:]//ai.negapa.p-e[.]kr/index.php\r\nhxxp[:]//ol.negapa.p-e[.]kr/index.php\r\nhxxp[:]//ai.limsjo.p-e[.]kr/index.php\r\nhxxp[:]//qi.limsjo.p-e[.]kr/index.php\r\nhxxp[:]//coolsystem[.]co.kr/admin/mail/index.php\r\nai.kostin.p-e[.]kr\r\nar.kostin.p-e[.]kr\r\nai.negapa.p-e[.]kr\r\nol.negapa.p-e[.]kr\r\nai.limsjo.p-e[.]kr\r\nqi.limsjo.p-e[.]kr\r\n216.189.159[.]197\r\nSource: https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nhttps://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2"
	],
	"report_names": [
		"kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2"
	],
	"threat_actors": [],
	"ts_created_at": 1777605008,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e6fc7f3e724c41748dc920901b5766adc9b47fc7.pdf",
		"text": "https://archive.orkl.eu/e6fc7f3e724c41748dc920901b5766adc9b47fc7.txt",
		"img": "https://archive.orkl.eu/e6fc7f3e724c41748dc920901b5766adc9b47fc7.jpg"
	}
}