Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.)
Author: Jiho Kim & Sebin Lee | BLKSMTH
Last Modified : Feb 7, 2024
Executive Summary
- S2W threat research and intelligence center Talon has hunted for and analyzed a sample of what is believed to be a new malware from the Kimsuky group on VirusTotal.
— The malware was found to be distributed from a page that redirects users to a specific site located in South Korea to download a security program.
— Unlike typical supply chain attacks, only 2 of the 5 installers distributed by the site were modified to include the malware.
- The hunted malware is an Info-stealer malware written in Go language that steals information from the infected system, which is dropped and executed from a Dropper disguised as a security program installation file (TrustPKI, NX_PRNMAN) from SGA Solutions.
- The dropper runs as a legitimate installer alongside the malware, and both the dropper and malware are signed with a valid, legitimate “D2innovation Co.,LTD” certificate, suggesting that the company’s certificate was actually stolen.
- S2W Talon has named the malware “Troll Stealer” because it contains the pathname “D:/~/repo/golang/src/root.go/s/troll/agent” within the malware.
- (Behaviors) Troll Stealer can steal information from the infected system like SSH, FileZilla, C drive files/directories, browser, system information, screen captures and send it to the C&C server.
- (Attribution) Based on the Kimsuky group’s recent active use of Go-based malware, and the fact that Troll Stealer contains a lot of code similar to the AppleSeed and AlphaSeed malware associated with the Kimsuky group, we speculate that the Kimsuky group is behind the distribution of this malware.
— However, there is also a possibility that another group closely associated with the Kimsuky group is behind the malware, as we have identified some differences in the TTPs from those previously observed from the Kimsuky group.
- (Target) Troll Stealer includes the ability to steal the GPKI folder on infected systems, which suggests that the campaign may have been targeting devices within administrative and public organizations in South Korea.
— However, there are some differences in the TTP from the Kimsuky group’s previous TTPs, suggesting that another group closely associated with the Kimsuky group may be behind this campaign.
- In addition to Troll Stealer, additional malware signed with the same legitimate certificate was found, so malware signed with that certificate may be distributed in the future.
Introduction
On January 10, 2024, a Go language-based information-stealing malware was discovered and we conducted a detailed analysis. The malware was distributed from a security program download page that was redirected when accessing a specific website in Korea and disguised as a security program installation file (TrustPKI, NX_PRNMAN) of SGA Solutions.
The malware was identified as a dropper type that drops and executes both a legitimate installer and malware when executed, and both the dropper and internal malware were signed with a valid “D2innovation Co.,LTD” certificate instead of the original certificate “SGA Solutions”.
The DLL file dropped from the dropper file is a Go language-based information-stealing malware packed with VMProtect and contains the path “D:/~/repo/golang/src/root.go/s/troll/agent” inside. It collects certain files and system information on the infected system and leaks the collected information to the C&C server. Our analysis revealed that it borrows some code from open-source stealers.
Talon, S2W’s threat research and intelligence center, believes that the Kimsuky group is behind the malware because it has similarities to existing malware from the Kimsuky group, such as nearly identical commands for collecting system information in the AppleSeed malware and the same RC4 + RSA combination for file encryption used by the AlphaSeed malware.
Talon has named the malware “Troll Stealer” because it uses the pathname “D:/~/repo/golang/src/root.go/s/troll/agent”.
Detailed Analysis
Sample Information
- MD5: 7b6d02a459fdaa4caa1a5bf741c4bd42
- SHA256: f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3
The malware is disguised as the TrustPKI installer for the SGA solution, and when executed, it steals information from the infected system and sends it to the C&C server.
- Dropper drops a malicious DLL file and loads the file via Rundll32.exe
- It executes the NXTPKIENTS.exe file, which is a legitimate installer
- Troll Stealer steals information from the infected system through malicious behavior
- Then, it sends stolen data to the C&C server
- Also, it performs self-deletion via Powershell
Stage1. Dropper
1. Mutex & Self-deletion
When executed, it creates a mutex to prevent duplicate execution and subsequently creates and executes a BAT script file in the %Temp% subpath for self-deletion.
Mutex name: windows update {2024–1020–02A}
- File path: %Temp%\\[A-Z0–9]{4}.tmp.bat
- BAT file contents
:goto_redel
rd /s /q [File path]
del [File path]
if exist [File path] goto goto_redel
del %Temp%\\[A-Z0-9]{4}.tmp.bat
2. Execute Normal Installer (NXTPKIENTS.exe)
Then drop and run a legitimate installation file from SGA Solutions in the Desktop path. The installation file is verified to be a legitimate file signed with the “SGA Solutions Co.,Ltd”. certificate.
- File path: %USERPROFILE%\Desktop\NXTPKIENTS.exe
3. Drop & Load Malicious DLL
In addition to the normal installation files, it also drops Troll Stealer and a file for checking for infection, and the paths to each of these files are shown below. The folder and file names generated by different Dropper malware samples vary, but the following paths and names were found in the samples we analyzed.
Troll Stealer is then executed via the rundll32.exe process, which calls the same Export function as the filename used for the infection check. The malware was packed with VMProtect to prevent analysis.
- Command: C:\Windows\system32\rundll32.exe %AppData%\[DLL Path] [Export]
Stage2. Troll Stealer
- Filename: C:\Users\admin\AppData\Roaming\Hancom\hc-[a-z0–9]{8}.png
- MD5: 88f183304b99c897aacfa321d58e1840
- SHA256: 61b8fbea8c0dfa337eb7ff978124ddf496d0c5f29bcb5672f3bd3d6bf832ac92
- Type: DLL
1. Initial behavior
During its initial execution, it deletes the “ChromeUpdateTaskMachineUAC” scheduler. However, given that Troll Stealer and its parent Dropper do not have the feature to register a scheduler with the above name, it is likely that it did not accidentally remove a feature that was used in the past.
- Command: schtasks /delete /f /tn “ChromeUpdateTaskMachineUAC”
The malware then checks for the existence of the file to check the infection dropped by the dropper malware to determine if it was executed via a dropper. It performs malicious behavior only if the file exists.
- File path: %ProgramData%\limsjo.a
Stealer itself registers mutexes to prevent malware duplicate execution.
- Mutex name: chrome development kit 1.0
2. Set configuration data
It collects the MAC address and directory path of the infected system and creates a temporary file with configured data for later malicious behavior. Configuration contains information such as C&C server addresses.
- Configuration path: %UserProfile%\.tmp\{Random Number}.org
- C&C server: hxxp[:]//qi.limsjo.p-e[.]kr/index.php
- C&C server: hxxp[:]//ai.limsjo.p-e[.]kr/index.php
- Examples of configuration data
{
"ServerID": 0,
"ObjectID": 0,
"GtType": 2111,
"GtID": [sha1_hash(little_endian(mac_addr[:8]))],
"GtVer": "gt@2.0",
"Interval": 0,
"LocalPath": "%AppData%\\local\\",
"MacAddr": [MacAddr],
"ProxyNum": 5,
"ProxyUrl": [
"",
"",
"",
"http://qi.limsjo.p-e.kr/index.php",
"http://ai.limsjo.p-e.kr/index.php"
]
}
The Config file is then encrypted, sent to the C&C server, and deleted.
- Encrypted config file path: %AppData%\local\gcfg@{YYMMDD}(HH.MM.SS-000).gte1
3. Data collection
Troll Stealer steals various information from the infected system, encrypts it, and sends it to the C&C server. The malware steals the following information
3.1. SSH
It exfiltrates the infected system’s SSH information. It compresses the system’s .ssh directory and creates a file. Afterward, it encrypts the compressed file, creates a file in a different path, and sends it to the C&C server.
- .SSH directory save path: %USERPROFILE%\.ssh
- Encrypted file path: %AppData%\local\tsd@{YYMMDD}(HH.MM.SS-000).gte1
3.2. FileZilla
It exfiltrates information from FileZilla software present on the infected system. It compresses the filezilla directory and creates a file. The compressed file is then encrypted and created as a file in a different path and sent to the C&C server.
- FileZilla directory save Path: %AppData%\filezilla
- Encrypted file path: %AppData%\local\tfd@{YYMMDD}(HH.MM.SS-000).gte1
3.3. Microsoft Sticky Note
It exfiltrates information from Microsoft Sticky Note present on the infected system. It compresses the localstate directory and creates a file. The compressed file is then encrypted and created as a file in a different path and sent to the C&C server.
- Microsoft Sticky Note save path: %USERPROFILE%\AppData\Local\packages\microsoft.microsoftstickynotes_8wekyb3d8bbwe\localstate
- Encrypted file path: %AppData%\local\tnd@{YYMMDD}(HH.MM.SS-000).gte1
3.4. “GPKI” directory in C Drive
Troll Stealer steals data from a specific folder on the C drive of an infected system. The attacker collects the names of files and folders on the C drive and appends additional strings to create a new string, as shown below. It then generates a SHA512 hash of that string, and if it is the same as the hardcoded SHA512 hash in the malware, it encrypts the file and sends it to the C&C server. Analyzing the hardcoded SHA512 hash revealed that the attacker attempted to steal the GPKI folder on the C drive.
- String format: “aaxxyyzz” + {File name} + “zzyyxxaa”
==> Target string: aaxxyyzzgpkizzyyxxaa
- Hardcoded SHA512 hash in Troll Stealer: 17ccb0832c3382b5f9e86236e035d899a351c98f3871080c138d4494218cbbc2b6f9dc43705ed97e8b0b09f25752302094e0d297151f67b22328af95610f72f1
- Encrypted file path: %AppData%\local\tcd@{YYMMDD}(HH.MM.SS-000).gte1
GPKI, also known as an administrative electronic signature certificate, is an authorized certificate used to verify the authenticity of administrative electronic signatures, which is used by governments such as administrative and public institutions in South Korea. In other words, it is not used on ordinary computers but is usually installed on computers used for public affairs. In this regard, it is believed that this campaign is aimed at targeting PCs installed in public.
3.5. Browser Information
It steals browser information from the infected system. The malware is believed to have utilized HackBrowserData, an open-source program written in Go language, to steal browser information. It targets Chromium-based browsers and Firefox browsers on infected systems and steals various information such as cookies, history, downloads, and extensions and saves them as JSON files in the browser directory. After compressing the browser directory, it performs encryption and sends it to the C&C server.
- Browser save path: %AppData%\local\browser
- Encrypted file path: %AppData%\local\tbd@{YYMMDD}(HH.MM.SS-000).gte1
3.6. System Information
It steals system information from an infected system. It collects infected system information through CMD commands, encrypts it, and creates a file. The encrypted file is sent to the C&C server.
- Encrypted file path: %AppData%\local\ccmd@{YYMMDD}(HH.MM.SS-000).gte1
- Commands to collect system information
systeminfo &
net user &
query user &
powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct &
wmic qfe &
wmic startup get &
wmic logicaldisk get &
ipconfig /all &
arp -a &
route print &
tasklist &
wmic process get Caption, Commandline &
dir "%programfiles%" &
dir "%programfiles% (x86)" &
dir "%programdata%\Microsoft\Windows\Start Menu\Programs" &
dir "%appdata%\Microsoft\Windows\Recent" &
dir /s "%userprofile%\desktop" &
dir /s "%userprofile%\downloads" &
dir /s "%userprofile%\documents"
3.7. Screen Capture
Capture the current desktop screen of the infected machine and save it to a file. Use the screenshot package of “kbinani” published on Github to capture the desktop screen. Encrypt the captured file and create a file, then send the encrypted file to the C&C server.
- Encrypted file path: %AppData%\local\ssht@{YYMMDD}(HH.MM.SS-000).gte1
4. File Encryption
Before sending the stolen data to the C&C server, it encrypts the data using a combination of RC4 and RSA-4096 algorithms. The malware parses the RSA public key from the hardcoded DER of PKCS#1. It then randomly generates an RC4 key value and uses it to encrypt the stolen data. The RC4 encryption key is encrypted with the RSA public key.
- Hardcoded PKCS#1 DER
3082020a0282020100c3fc0e50f4dcafec48ee42362d70c8f6b3153e91566b15a9540d0ca9f3e81846093d8752940b414043c0eaa752dd29b3aa7132bc3a1c9d8c8ed8aeaeb51c1ab99491879e8e9af96eec3f87d64fdc6dc2e51bed259314c6417d481472463a3df1ca5a16254f203aecb10c56e0dc0b8f9f6e70cc286161dbd2d0e6e3652a438ba1e48cc822cb2138f012e4cd4132c627ca165a17793785fc4c74198b03bcd8743f389345edb4238984ebf84d9a89851b5adc6378a4c0b441bab7f7e15330be4ed3abadb393cce9a3f1e37cf71cbbf3cc32c2b399cdc2cd65f651be21ef84c9bf67c13cbd38a0d0897dfc1f6b7ba809ef59f5de9019697115ddfdae5cb885f78e4766af4c23c95ebb198656ee391d788ab52fd760670561d417f099538f45f652b438b5b32afa0c2ae08eb04381112a254aff4e6eeb1db29be8dc248a85226a21528e87b837801f7a81ab4e0b03d0b23ba8c69bad52d094c343444676b9d1516cf3cf1017942cf12eadc16cf56f843ba344deb6c7e935b4abf574d8121b301dc05ce7945578ede2f14be9daab4bd6be430dcf7f4e39e97fba7f462822c6743ac8dc79674dcd5c958c94bf27490758e9fa13432e5f0134cacd422115a0e76fcfd14b9b86f88bb3e136fc54c46ea6d2212ea00478dc11d9cf80c06fab2c4a3c7d3ad5f4fa00f4999a2170189eb747368e41c2cf41302e476c39861876512d9f8d355b0203010001
5. C&C Communication
The malware creates a 60-byte structure and organizes 12 fields to exfiltrate the Config data and data stolen from the victim system. The value of each field is set differently depending on the purpose of the communication and the type of data to be transmitted, and the payload is located after the size_payload field. The configured data is XORed and Base64 encoded and sent to the C&C server through the HTTP protocol. The common structure for communication is shown in Figure 7, and the meaning of each field is described in Table 5.
After organizing the data to be sent into a structure, it performs an XOR operation followed by Base64 encoding using a hardcoded 4-byte key in the binary. The encoded result is sent to the C&C server in the format “a=[Encoded_Data]”.
- XOR Key: DD 33 99 CC
The final stolen data is sent as follows:
- Steal data => Encrypt file(RC4+RSA) => Encode structure used for communication(XOR+Base64) => Pass as a parameter
Troll Stealer sends the “init” string in the payload to the C&C server only the first time it communicates, and only when it receives the “ok” string in response does it continue to leak the stolen data.
In this case, there are a total of four communications per exfiltration of configuration or stolen items: the first communication is to perform the ping function, and the second and third communications are sent with the same data in the payload. However, we can see that the value of the status_type field is configured differently. Finally, the fourth communication includes the stolen filename in the payload and sets the value of the send_type field to 5. Once the file is successfully sent to the C&C server, delete the encrypted file in the %appdata%\local\ path.
6. Self-deletion
After executing the malware, it creates a PS1 file in the .tmp directory and runs it via the powershell.exe, which deletes Troll Stealer itself.
- .PS1 save path: %USERPROFILE%\.tmp\{Random}.ps1
- Command: powershell.exe -executionpolicy bypass -File [ps1 file]
- .PS1 file contents
$target = {Stealer Path}
for ($i = 0; $i -lt 50; $i++)
{
Remove-Item $target -Force
Remove-Item $PSCommandPath -Force
if (!(Test-Path $target) -and !(Test-Path $PSCommandPath))
{
break
}
Start-Sleep -Seconds 2
}
Attribution
S2W speculates that the Kimsuky group may be behind the distribution of this malware based on the group’s recent active use of Go-based malware and the similarity of the code to existing AppleSeed and AlphaSeed malware.
Correlation with AppleSeed/AlphaSeed
The path that the dropper malware drops Troll Stealer and the filename format it creates appear similar to the path and filename of AppleSeed, which was disclosed by ASEC.
In addition, the hardcoded commands it executes to collect infected system information are identical to those found in the AppleSeed malware discovered in May 2023. However, in the case of the recently discovered malware, two additional commands were added to obtain information about the user’s accounts and sessions.
- net user
- query user
In addition, the same type of mutexes identified in the Troll Stealer Dropper malware were found in both AppleSeed Dropper and Meterpreter, which have been used by the Kimsuky group in the past.
Troll Stealer then compresses the folder where the stolen files are stored and encrypts them using RSA and RC4 algorithms. We found that the combniation and the encryption execution flow are the same as those used by AlphaSeed.
Furthermore, the Go language library used to capture the victim system’s desktop screen was identified as the same kbinani package also used by AlphaSeed.
Another golang-based backdoor (GoBear)
In addition to the Troll Stealer, another Go language-based backdoor malware signed with a legitimate “D2innovation Co.,LTD certificate” was also found.
- MD5: 87429e9223d45e0359cd1c41c0301836
- C&C: hxxp[:]//coolsystem[.]co.kr/admin/mail/index.php
- Reference: Kimsuky (APT-Q-2) secret theft operation disguised as software installation package
The malware performs malicious behaviors based on the commands it receives from the C&C server, and the strings contained in the names of the functions it calls have been found to overlap with the commands used by BetaSeed, a C++-based backdoor malware used by the Kimsuky group. The DLL version of BetaSeed also steals information from the victim system and performs additional malicious actions based on the commands it receives from the C&C server.
- MD5: d6abeeb469e2417bbcd3c122c06ba099
- Reference: 수입 신고서를 위장하여 국내 연구 기관을 노리는 Kimsuky
However, the 2 malware were separated into different types because they were written in different languages and there were no similarities in the code other than the strings in the function names.
It is noteworthy that GoBear adds SOCKS5 proxy functionality, which was not previously supported by the Kimsuky group’s backdoor malware. Furthermore, the fact that the mutex used in the previous AppleSeed malware was reused after two years without being updated suggests that the author of the Troll Stealer malware based on AppleSeed may have made a mistake.
Conclusion
- S2W threat research and intelligence center Talon has hunted for and analyzed a sample of a new malware from the Kimsuky group, and named Troll Stealer.
- Troll Stealer is written in Go and identified as an Info-stealer malware that steals information from infected systems (SSH, FileZilla, C drive files/directories, browsers, system information, screen captures).
—Troll Stealer is distributed by dropping and executing from a Dropper disguised as SGA Solutions’ Trusted PKI installer. - The dropper runs as a legitimate installer alongside the malware, and both the dropper and malware are signed with a valid, legitimate “D2innovation Co.,LTD” certificate, suggesting that the company’s certificate was actually stolen.
- Troll Stealer includes the ability to steal the GPKI folder on infected systems, which suggests that the campaign may have been targeting devices within administrative and public organizations in South Korea
— The Kimsuky group has no known history of hijacking GPKI folders or utilizing the SOCKS5 protocol in the past, so it is possible that they have set new targets, or that another group with access to the source code for AppleSeed/AlphaSeed created Troll Stealer and GoBear. - S2W believes that the Kimsuky group is likely behind the distribution of this malware based on the group’s active use of Go-based malware and the many similarities found between Troll Stealer and the existing AppleSeed and AlphaSeed malware.
- In addition to Troll Stealer, additional malware signed with the same legitimate certificate was found, so it is possible that malware signed with that certificate may be distributed in the future.
MITRE ATT&CK
Resource Development
- (T1588.004 ) Digital Certificates
Execution
- (T1204.002) Malicious File
- (T1059.001) PowerShell
- (T1059.003) Windows Command Shell
Defense Evasion
- (T1027.002) Software Packing
Credential Access
- (T1555.003) Credentials from Web Browsers
- (T1539) Steal Web Session Cookie
Discovery
- (T1057) Process Discovery
- (T1087.001) Local Account
- (T1083) File and Directory Discovery
- (T1518.001) Security Software Discovery
- (T1082) System Information Discovery
- (T1016) System Network Configuration Discovery
Collection
- (T1005) Data from Local System
- (T1113) Screen Capture
- (T1560) Archive Collected Data
Command and Control
- (T1071.001) Web Protocol
Exfiltration
- (T1041) Exfiltration Over C2 Channel
Appendix A. IoCs
File hash
Dropper
- 19c2decfa7271fa30e48d4750c1d18c1
- 6eebb5ed0d0b5553e40a7b1ad739589709d077aab4cbea1c64713c48ce9c96f9
- 7b6d02a459fdaa4caa1a5bf741c4bd42
- f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3
- 27ef6917fe32685fdf9b755eb8e97565
- 2e0ffaab995f22b7684052e53b8c64b9283b5e81503b88664785fe6d6569a55e
Backdoor (GoBear)
- 87429e9223d45e0359cd1c41c0301836
- a8c24a3e54a4b323973f61630c92ecaad067598ef2547350c9d108bc175774b9
Troll Stealer
- 7457dc037c4a5f3713d9243a0dfb1a2c
- ff3718ae6bd59ad479e375c602a81811718dfb2669c2d1de497f02baf7b4adca
- c8e7b0d3b6afa22e801cacaf16b37355
- 955cb4f01eb18f0d259fcb962e36a339e8fe082963dfd9f72d3851210f7d2d3b
- 88f183304b99c897aacfa321d58e1840
- bc4c1c869a03045e0b594a258ec3801369b0dcabac193e90f0a684900e9a582d
Network
- hxxp[:]//ai.kostin.p-e[.]kr/index.php
- hxxp[:]//ar.kostin.p-e[.]kr/index.php
- hxxp[:]//ai.negapa.p-e[.]kr/index.php
- hxxp[:]//ol.negapa.p-e[.]kr/index.php
- hxxp[:]//ai.limsjo.p-e[.]kr/index.php
- hxxp[:]//qi.limsjo.p-e[.]kr/index.php
- hxxp[:]//coolsystem[.]co.kr/admin/mail/index.php
- ai.kostin.p-e[.]kr
- ar.kostin.p-e[.]kr
- ai.negapa.p-e[.]kr
- ol.negapa.p-e[.]kr
- ai.limsjo.p-e[.]kr
- qi.limsjo.p-e[.]kr
- 216.189.159[.]197