Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer…
Contents
Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.)
Author: Jiho Kim & Sebin Lee | BLKSMTH
Last Modified : Feb 7, 2024
Executive Summary
- S2W threat research and intelligence center Talon has hunted for and analyzed a sample of what is believed to be a new malware from the Kimsuky group on VirusTotal.
— The malware was found to be distributed from a page that redirects users to a specific site located in South Korea to download a security program.
— Unlike typical supply chain attacks, only 2 of the 5 installers distributed by the site were modified to include the malware.
- The hunted malware is an Info-stealer malware written in Go language that steals information from the infected system, which is dropped and executed from a Dropper disguised as a security program installation file (TrustPKI, NX_PRNMAN) from SGA Solutions.
- The dropper runs as a legitimate …
Author: Jiho Kim & Sebin Lee | BLKSMTH
Last Modified : Feb 7, 2024
Executive Summary
- S2W threat research and intelligence center Talon has hunted for and analyzed a sample of what is believed to be a new malware from the Kimsuky group on VirusTotal.
— The malware was found to be distributed from a page that redirects users to a specific site located in South Korea to download a security program.
— Unlike typical supply chain attacks, only 2 of the 5 installers distributed by the site were modified to include the malware.
- The hunted malware is an Info-stealer malware written in Go language that steals information from the infected system, which is dropped and executed from a Dropper disguised as a security program installation file (TrustPKI, NX_PRNMAN) from SGA Solutions.
- The dropper runs as a legitimate …
IoC
17ccb0832c3382b5f9e86236e035d899a351c98f3871080c138d4494218cbbc2b6f9dc43705ed97e8b0b09f25752302094e0d297151f67b22328af95610f72f1
19c2decfa7271fa30e48d4750c1d18c1
216.189.159.197
27ef6917fe32685fdf9b755eb8e97565
2e0ffaab995f22b7684052e53b8c64b9283b5e81503b88664785fe6d6569a55e
61b8fbea8c0dfa337eb7ff978124ddf496d0c5f29bcb5672f3bd3d6bf832ac92
6eebb5ed0d0b5553e40a7b1ad739589709d077aab4cbea1c64713c48ce9c96f9
7457dc037c4a5f3713d9243a0dfb1a2c
7b6d02a459fdaa4caa1a5bf741c4bd42
87429e9223d45e0359cd1c41c0301836
88f183304b99c897aacfa321d58e1840
955cb4f01eb18f0d259fcb962e36a339e8fe082963dfd9f72d3851210f7d2d3b
a8c24a3e54a4b323973f61630c92ecaad067598ef2547350c9d108bc175774b9
bc4c1c869a03045e0b594a258ec3801369b0dcabac193e90f0a684900e9a582d
c8e7b0d3b6afa22e801cacaf16b37355
d6abeeb469e2417bbcd3c122c06ba099
f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3
ff3718ae6bd59ad479e375c602a81811718dfb2669c2d1de497f02baf7b4adca
http://216.189.159.197
http://ai.kostin.p-e.kr
http://ai.kostin.p-e.kr/index.php
http://ai.limsjo.p-e.kr
http://ai.limsjo.p-e.kr/index.php
http://ai.negapa.p-e.kr
http://ai.negapa.p-e.kr/index.php
http://ar.kostin.p-e.kr
http://ar.kostin.p-e.kr/index.php
http://coolsystem.co.kr/admin/mail/index.php
http://ol.negapa.p-e.kr
http://ol.negapa.p-e.kr/index.php
http://qi.limsjo.p-e.kr
http://qi.limsjo.p-e.kr/index.php
19c2decfa7271fa30e48d4750c1d18c1
216.189.159.197
27ef6917fe32685fdf9b755eb8e97565
2e0ffaab995f22b7684052e53b8c64b9283b5e81503b88664785fe6d6569a55e
61b8fbea8c0dfa337eb7ff978124ddf496d0c5f29bcb5672f3bd3d6bf832ac92
6eebb5ed0d0b5553e40a7b1ad739589709d077aab4cbea1c64713c48ce9c96f9
7457dc037c4a5f3713d9243a0dfb1a2c
7b6d02a459fdaa4caa1a5bf741c4bd42
87429e9223d45e0359cd1c41c0301836
88f183304b99c897aacfa321d58e1840
955cb4f01eb18f0d259fcb962e36a339e8fe082963dfd9f72d3851210f7d2d3b
a8c24a3e54a4b323973f61630c92ecaad067598ef2547350c9d108bc175774b9
bc4c1c869a03045e0b594a258ec3801369b0dcabac193e90f0a684900e9a582d
c8e7b0d3b6afa22e801cacaf16b37355
d6abeeb469e2417bbcd3c122c06ba099
f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3
ff3718ae6bd59ad479e375c602a81811718dfb2669c2d1de497f02baf7b4adca
http://216.189.159.197
http://ai.kostin.p-e.kr
http://ai.kostin.p-e.kr/index.php
http://ai.limsjo.p-e.kr
http://ai.limsjo.p-e.kr/index.php
http://ai.negapa.p-e.kr
http://ai.negapa.p-e.kr/index.php
http://ar.kostin.p-e.kr
http://ar.kostin.p-e.kr/index.php
http://coolsystem.co.kr/admin/mail/index.php
http://ol.negapa.p-e.kr
http://ol.negapa.p-e.kr/index.php
http://qi.limsjo.p-e.kr
http://qi.limsjo.p-e.kr/index.php