Troll Stealer
The nation-state actor Kimsuky, associated with North Korea, is believed to have deployed a newly identified information-stealing malware, the Troll Stealer, built on the Golang programming language. This threatening software is designed to extract various types of sensitive data, including SSH credentials, FileZilla information, files and directories from the C drive, browser data, system details, and screen captures, among other things, from compromised systems.
Troll Stealer's connection to Kimsuky is inferred from its resemblances to well-known malware families like AppleSeed and AlphaSeed, both previously linked to the same threat actor group.
Table of Contents
Kimsuky Is an Active APT (Advanced Persistent Threat) Group
Kimsuky, alternatively identified as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Nickel Kimball, and Velvet Chollima, is renowned for its proclivity to engage in offensive cyber operations aimed at pilfering sensitive and confidential information.
In November 2023, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) pressed sanctions on these threat actors for their role in gathering intelligence to advance North Korea's strategic goals.
This adversarial group has also been linked to spear-phishing attacks directed at South Korean entities, utilizing various backdoors, including AppleSeed and AlphaSeed.
The Attack Operation Deploying the Troll Stealer Malware
An examination conducted by cybersecurity researchers has revealed the utilization of a dropper tasked with deploying the subsequent stealer threat. The dropper disguises itself as an installation file for a security program purportedly from a South Korean firm known as SGA Solutions. As for the name of the stealer, it is based on the path 'D:/~/repo/golang/src/root.go/s/troll/agent' embedded within it.
As per the insights provided by information security experts, the dropper operates as a legitimate installer in conjunction with the malware. Both the dropper and the malware bear the signature of a valid D2Innovation Co., LTD certificate, indicating a potential theft of the company's certificate.
A notable characteristic of the Troll Stealer is its capability to pilfer the GPKI folder on compromised systems, hinting at the likelihood that the malware has been employed in attacks directed at administrative and public organizations within the country.
Kimsiky May Be Evolving Their Tactics and Threatening Arsenal
In light of the absence of documented Kimsuky campaigns involving the theft of GPKI folders, there is speculation that the observed new behavior could signify a shift in tactics or the actions of another threat actor closely affiliated with the group, potentially possessing access to the source code of AppleSeed and AlphaSeed.
Indications also point towards the potential involvement of the threat actor in a Go-based backdoor named GoBear. This backdoor is signed with a legitimate certificate linked to D2Innovation Co., LTD and follows instructions from a Command-and-Control (C2) server.
Furthermore, the function names within GoBear's code overlap with commands used by BetaSeed, a C++-based backdoor malware employed by the Kimsuky group. Notably, GoBear introduces SOCKS5 proxy functionality, a feature not previously present in the backdoor malware associated with the Kimsuky group.
