Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer [Friday, February 09, 2024]

A new malware called Troll Stealer has been discovered, which is believed to originate from the North Korean APT group Kimsuky. Troll Stealer is an...
Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer [Friday, February 09, 2024]
Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer

Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer

Description :
A new malware called Troll Stealer has been discovered, which is believed to originate from the North Korean APT group Kimsuky. Troll Stealer is an information-stealing malware written in Go language that exfiltrates data including SSH credentials, FileZilla information, browser data, system info, and screen captures. It is distributed via droppers disguised as Korean security software installers, signed with a stolen certificate from D2innovation Co. LTD. Troll Stealer appears related to previous Kimsuky malware AppleSeed and AlphaSeed based on code similarities, and specifically targets the GPKI certificate folder on systems, suggesting it is aimed at government and administrative organizations in South Korea.

Published Created Modified
2024-02-09 14:40:28 2024-02-09 14:40:28 2024-02-09 14:56:27

Tags

Indicators

IPv4s : Domains : Malwares :
  • Troll Stealer
Hashes :
  • 61b8fbea8c0dfa337eb7ff978124ddf496d0c5f29bcb5672f3bd3d6bf832ac92
  • 955cb4f01eb18f0d259fcb962e36a339e8fe082963dfd9f72d3851210f7d2d3b
  • ff3718ae6bd59ad479e375c602a81811718dfb2669c2d1de497f02baf7b4adca
  • bc4c1c869a03045e0b594a258ec3801369b0dcabac193e90f0a684900e9a582d
  • a8c24a3e54a4b323973f61630c92ecaad067598ef2547350c9d108bc175774b9
  • 97df5304f53fec6a5d2d2bd75b9310a3747b681520fe45d2961bc4df86e556d7
  • 2e0ffaab995f22b7684052e53b8c64b9283b5e81503b88664785fe6d6569a55e
  • f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3
  • 6eebb5ed0d0b5553e40a7b1ad739589709d077aab4cbea1c64713c48ce9c96f9
Intrusion set :
  • Kimsuky
Location :
  • Korea, Republic of
MITRE ATT&CK Techniques : Other observables :
  • Government

External References

You can download the txt file containing the indicators by clicking on the button below:

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.