Troll Stealer Malware Threat Targets Korean Computer Users
A recently discovered cyber threat has put Korean computer users at risk, as a sophisticated malware dubbed "Troll Stealer" has emerged, suspected to be orchestrated by the North Korea-linked nation-state actor, Kimsuky. This malware, crafted using Golang, a programming language, is designed to stealthily extract sensitive information from infected systems. South Korean cybersecurity firm S2W has unveiled the modus operandi of Troll Stealer, which includes the pilfering of SSH, FileZilla, C drive files/directories, browser data, system information, and even screen captures.
Table of Contents
Stealthy Data Extraction
Connections between Troll Stealer and Kimsuky are drawn from its resemblance to known malware strains like AppleSeed and AlphaSeed, previously attributed to this adversarial group. Kimsuky, also identified under various aliases such as APT43 and ARCHIPELAGO, is infamous for its cyber espionage activities, often aimed at acquiring confidential data to advance North Korea's strategic interests.
Strategic Espionage
The seriousness of the threat posed by Kimsuky was underscored when, in late November 2023, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned the group for its intelligence-gathering endeavors. Recent months have seen Kimsuky employing spear-phishing tactics to infiltrate South Korean targets, distributing a range of backdoors, including AppleSeed and AlphaSeed.
S2W's analysis highlights Troll Stealer's infiltration method, which involves a disguised dropper masquerading as a security program installation file from a South Korean company named SGA Solutions. Intriguingly, both the dropper and the malware bear the signature of a legitimate certificate belonging to D2Innovation Co., LTD, hinting at potential certificate theft.
Government Targeting
A particularly concerning aspect of Troll Stealer is its capability to plunder the GPKI (Government Public Key Infrastructure) folder from infected systems, indicating a possible targeting of administrative and public organizations within Korea. This behavior diverges from previous Kimsuky campaigns, leading to speculation about tactical shifts or the involvement of other threat actors with access to AppleSeed and AlphaSeed source code.
Furthermore, indications suggest Kimsuky's potential involvement with another malware, GoBear, which shares similarities with BetaSeed, a previously used backdoor. Notably, GoBear introduces SOCKS5 proxy functionality, a departure from Kimsuky's usual modus operandi.
The emergence of Troll Stealer underscores the persistent threat posed by Kimsuky to Korean cybersecurity. As cyber threats continue to evolve, vigilance and robust cybersecurity measures remain essential to safeguard sensitive information and protect against malicious actors like Kimsuky.
