Kimsuky APT: The TrollAgent Stealer Analysis
Contents
Table Of Content
Who is Kimsuky?
The Kimsuky APT is a North Korea-based cyber espionage group operating since at least 2012. Initially, The group targeted South Korean government entities, think tanks, and individuals identified as experts in various fields.
Tracked as: APT43, Black Banshee, Velvet Chollima, THALLIUM, ARCHIPELAGO, and Emerald Sleet
Targets and Objectives: The group primarily targets South Korea, Japan, and the United States, focusing on sectors such as national defense, education, energy, government, healthcare, and think tanks. Their primary objective is intelligence gathering.
Tactics and Tools: Kimsuky employs a variety of tactics, including social engineering, spear-phishing emails, and watering hole attacks. They have developed unique malware for various operations.
What is TrollAgent Stealer?
Kimsuky began its campaign against significant targets in South Korea in January 2024. By January 24, we found that the compilation times for many samples dated back to December 2023. Based on these and other artifacts, our team at Dark Atlas initiated …
Who is Kimsuky?
The Kimsuky APT is a North Korea-based cyber espionage group operating since at least 2012. Initially, The group targeted South Korean government entities, think tanks, and individuals identified as experts in various fields.
Tracked as: APT43, Black Banshee, Velvet Chollima, THALLIUM, ARCHIPELAGO, and Emerald Sleet
Targets and Objectives: The group primarily targets South Korea, Japan, and the United States, focusing on sectors such as national defense, education, energy, government, healthcare, and think tanks. Their primary objective is intelligence gathering.
Tactics and Tools: Kimsuky employs a variety of tactics, including social engineering, spear-phishing emails, and watering hole attacks. They have developed unique malware for various operations.
What is TrollAgent Stealer?
Kimsuky began its campaign against significant targets in South Korea in January 2024. By January 24, we found that the compilation times for many samples dated back to December 2023. Based on these and other artifacts, our team at Dark Atlas initiated …
IoC
045f28a479ba19a95c0407a663e2f188
27ef6917fe32685fdf9b755eb8e97565
2e0ffaab995f22b7684052e53b8c64b9283b5e81503b88664785fe6d6569a55e
2e5f2a154e1b67cd0d6a2f6b5feb6de7
3b596ca429cf1b733f1ff3676189e44a
7457dc037c4a5f3713d9243a0dfb1a2c
7b6d02a459fdaa4caa1a5bf741c4bd42
88f183304b99c897aacfa321d58e1840
9e75705b4930f50502bcbd740fc3ece1
a67cf9add2905c11f5c466bc01d554b0
c8e7b0d3b6afa22e801cacaf16b37355
http://ai.negapa.p-e.kr/index.php
http://ar.kostin.p-e.kr/index.php
http://dl.netup.p-e.kr/index.php
http://qi.limsjo.p-e.kr/index.php
http://sa.netup.p-e.kr/index.php
rule TrollAgent_Kimsuky_Stealer { meta: description = "Detect TrollAgent Stealer" author = "Dark Atlas Squad" date = "2024-07-14" strings: $ex1 = "rollbackHookTrampoline" wide ascii $ex2 = "preUpdateHookTrampoline" wide ascii $ex3 = "compareTrampoline" wide ascii $ex4 = "doneTrampoline" wide ascii $ex5 = "authorizerTrampoline" wide ascii condition: uint16(0) == 0x5a4d and pe.characteristics & pe.DLL and all of them and pe.number_of_exports > 11 and for any i in (0 .. pe.number_of_sections) : ( pe.sections[i].name == ".vmp0" or pe.sections[i].name == ".vmp1" ) }
27ef6917fe32685fdf9b755eb8e97565
2e0ffaab995f22b7684052e53b8c64b9283b5e81503b88664785fe6d6569a55e
2e5f2a154e1b67cd0d6a2f6b5feb6de7
3b596ca429cf1b733f1ff3676189e44a
7457dc037c4a5f3713d9243a0dfb1a2c
7b6d02a459fdaa4caa1a5bf741c4bd42
88f183304b99c897aacfa321d58e1840
9e75705b4930f50502bcbd740fc3ece1
a67cf9add2905c11f5c466bc01d554b0
c8e7b0d3b6afa22e801cacaf16b37355
http://ai.negapa.p-e.kr/index.php
http://ar.kostin.p-e.kr/index.php
http://dl.netup.p-e.kr/index.php
http://qi.limsjo.p-e.kr/index.php
http://sa.netup.p-e.kr/index.php
rule TrollAgent_Kimsuky_Stealer { meta: description = "Detect TrollAgent Stealer" author = "Dark Atlas Squad" date = "2024-07-14" strings: $ex1 = "rollbackHookTrampoline" wide ascii $ex2 = "preUpdateHookTrampoline" wide ascii $ex3 = "compareTrampoline" wide ascii $ex4 = "doneTrampoline" wide ascii $ex5 = "authorizerTrampoline" wide ascii condition: uint16(0) == 0x5a4d and pe.characteristics & pe.DLL and all of them and pe.number_of_exports > 11 and for any i in (0 .. pe.number_of_sections) : ( pe.sections[i].name == ".vmp0" or pe.sections[i].name == ".vmp1" ) }