S2W
Follow
Published in
S2W BLOG
14 min read
Feb 7, 2024
—
S2W
Follow
Feb 7, 2024
—
Author: Jiho Kim & Sebin Lee | BLKSMTH
Last Modified : Feb 7, 2024
— The malware was found to be distributed from a page that redirects users to a specific site located in South Korea to download a security program.
— Unlike typical supply chain attacks, only 2 of the 5 installers distributed by the site were modified to include the malware.
— However, there is also a possibility that another group closely associated with the Kimsuky group is behind the malware, as we have identified some differences in the TTPs from those previously observed from the Kimsuky group.
— However, there are some differences in the TTP from the Kimsuky group’s previous TTPs, suggesting that another group closely associated with the Kimsuky group may be behind this campaign.
On January 10, 2024, a Go language-based information-stealing malware was discovered and we conducted a detailed analysis. The malware was distributed from a security program download page that was redirected when accessing a specific website in Korea and disguised as a security program installation file (TrustPKI, NX_PRNMAN) of SGA Solutions.
The malware was identified as a dropper type that drops and executes both a legitimate installer and malware when executed, and both the dropper and internal malware were signed with a valid “D2innovation Co.,LTD” certificate instead of the original certificate “SGA Solutions”.
The DLL file dropped from the dropper file is a Go language-based information-stealing malware packed with VMProtect and contains the path “D:/~/repo/golang/src/root.go/s/troll/agent” inside. It collects certain files and system information on the infected system and leaks the collected information to the C&C server. Our analysis revealed that it borrows some code from open-source stealers.
Talon, S2W’s threat research and intelligence center, believes that the Kimsuky group is behind the malware because it has similarities to existing malware from the Kimsuky group, such as nearly identical commands for collecting system information in the AppleSeed malware and the same RC4 + RSA combination for file encryption used by the AlphaSeed malware.
Talon has named the malware “Troll Stealer” because it uses the pathname “D:/~/repo/golang/src/root.go/s/troll/agent”.
The malware is disguised as the TrustPKI installer for the SGA solution, and when executed, it steals information from the infected system and sends it to the C&C server.
1. Mutex & Self-deletion
When executed, it creates a mutex to prevent duplicate execution and subsequently creates and executes a BAT script file in the %Temp% subpath for self-deletion.
Mutex name: windows update {2024–1020–02A}
:goto_redel
rd /s /q [File path]
del [File path]
if exist [File path] goto goto_redel
del %Temp%[A-Z0-9]{4}.tmp.bat
2. Execute Normal Installer (NXTPKIENTS.exe)
Then drop and run a legitimate installation file from SGA Solutions in the Desktop path. The installation file is verified to be a legitimate file signed with the “SGA Solutions Co.,Ltd”. certificate.
3. Drop & Load Malicious DLL
In addition to the normal installation files, it also drops Troll Stealer and a file for checking for infection, and the paths to each of these files are shown below. The folder and file names generated by different Dropper malware samples vary, but the following paths and names were found in the samples we analyzed.
Troll Stealer is then executed via the rundll32.exe process, which calls the same Export function as the filename used for the infection check. The malware was packed with VMProtect to prevent analysis.
1. Initial behavior
During its initial execution, it deletes the “ChromeUpdateTaskMachineUAC” scheduler. However, given that Troll Stealer and its parent Dropper do not have the feature to register a scheduler with the above name, it is likely that it did not accidentally remove a feature that was used in the past.
The malware then checks for the existence of the file to check the infection dropped by the dropper malware to determine if it was executed via a dropper. It performs malicious behavior only if the file exists.
Stealer itself registers mutexes to prevent malware duplicate execution.
2. Set configuration data
It collects the MAC address and directory path of the infected system and creates a temporary file with configured data for later malicious behavior. Configuration contains information such as C&C server addresses.
{
"ServerID": 0,
"ObjectID": 0,
"GtType": 2111,
"GtID": [sha1_hash(little_endian(mac_addr[:8]))],
"GtVer": "gt@2.0",
"Interval": 0,
"LocalPath": "%AppData%local",
"MacAddr": [MacAddr],
"ProxyNum": 5,
"ProxyUrl": [
"",
"",
"",
"http://qi.limsjo.p-e.kr/index.php",
"http://ai.limsjo.p-e.kr/index.php"
]
}
The Config file is then encrypted, sent to the C&C server, and deleted.
3. Data collection
Troll Stealer steals various information from the infected system, encrypts it, and sends it to the C&C server. The malware steals the following information
3.1. SSH
It exfiltrates the infected system’s SSH information. It compresses the system’s .ssh directory and creates a file. Afterward, it encrypts the compressed file, creates a file in a different path, and sends it to the C&C server.
3.2. FileZilla
It exfiltrates information from FileZilla software present on the infected system. It compresses the filezilla directory and creates a file. The compressed file is then encrypted and created as a file in a different path and sent to the C&C server.
3.3. Microsoft Sticky Note
It exfiltrates information from Microsoft Sticky Note present on the infected system. It compresses the localstate directory and creates a file. The compressed file is then encrypted and created as a file in a different path and sent to the C&C server.
3.4. “GPKI” directory in C Drive
Troll Stealer steals data from a specific folder on the C drive of an infected system. The attacker collects the names of files and folders on the C drive and appends additional strings to create a new string, as shown below. It then generates a SHA512 hash of that string, and if it is the same as the hardcoded SHA512 hash in the malware, it encrypts the file and sends it to the C&C server. Analyzing the hardcoded SHA512 hash revealed that the attacker attempted to steal the GPKI folder on the C drive.
==> Target string: aaxxyyzzgpkizzyyxxaa
GPKI, also known as an administrative electronic signature certificate, is an authorized certificate used to verify the authenticity of administrative electronic signatures, which is used by governments such as administrative and public institutions in South Korea. In other words, it is not used on ordinary computers but is usually installed on computers used for public affairs. In this regard, it is believed that this campaign is aimed at targeting PCs installed in public.
3.5. Browser Information
It steals browser information from the infected system. The malware is believed to have utilized HackBrowserData, an open-source program written in Go language, to steal browser information. It targets Chromium-based browsers and Firefox browsers on infected systems and steals various information such as cookies, history, downloads, and extensions and saves them as JSON files in the browser directory. After compressing the browser directory, it performs encryption and sends it to the C&C server.
3.6. System Information
It steals system information from an infected system. It collects infected system information through CMD commands, encrypts it, and creates a file. The encrypted file is sent to the C&C server.
systeminfo &
net user &
query user &
powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct &
wmic qfe &
wmic startup get &
wmic logicaldisk get &
ipconfig /all &
arp -a &
route print &
tasklist &
wmic process get Caption, Commandline &
dir "%programfiles%" &
dir "%programfiles% (x86)" &
dir "%programdata%MicrosoftWindowsStart MenuPrograms" &
dir "%appdata%MicrosoftWindowsRecent" &
dir /s "%userprofile%desktop" &
dir /s "%userprofile%downloads" &
dir /s "%userprofile%documents"
3.7. Screen Capture
Capture the current desktop screen of the infected machine and save it to a file. Use the screenshot package of “kbinani” published on Github to capture the desktop screen. Encrypt the captured file and create a file, then send the encrypted file to the C&C server.
4. File Encryption
Before sending the stolen data to the C&C server, it encrypts the data using a combination of RC4 and RSA-4096 algorithms. The malware parses the RSA public key from the hardcoded DER of PKCS#1. It then randomly generates an RC4 key value and uses it to encrypt the stolen data. The RC4 encryption key is encrypted with the RSA public key.
3082020a0282020100c3fc0e50f4dcafec48ee42362d70c8f6b3153e91566b15a9540d0ca9f3e81846093d8752940b414043c0eaa752dd29b3aa7132bc3a1c9d8c8ed8aeaeb51c1ab99491879e8e9af96eec3f87d64fdc6dc2e51bed259314c6417d481472463a3df1ca5a16254f203aecb10c56e0dc0b8f9f6e70cc286161dbd2d0e6e3652a438ba1e48cc822cb2138f012e4cd4132c627ca165a17793785fc4c74198b03bcd8743f389345edb4238984ebf84d9a89851b5adc6378a4c0b441bab7f7e15330be4ed3abadb393cce9a3f1e37cf71cbbf3cc32c2b399cdc2cd65f651be21ef84c9bf67c13cbd38a0d0897dfc1f6b7ba809ef59f5de9019697115ddfdae5cb885f78e4766af4c23c95ebb198656ee391d788ab52fd760670561d417f099538f45f652b438b5b32afa0c2ae08eb04381112a254aff4e6eeb1db29be8dc248a85226a21528e87b837801f7a81ab4e0b03d0b23ba8c69bad52d094c343444676b9d1516cf3cf1017942cf12eadc16cf56f843ba344deb6c7e935b4abf574d8121b301dc05ce7945578ede2f14be9daab4bd6be430dcf7f4e39e97fba7f462822c6743ac8dc79674dcd5c958c94bf27490758e9fa13432e5f0134cacd422115a0e76fcfd14b9b86f88bb3e136fc54c46ea6d2212ea00478dc11d9cf80c06fab2c4a3c7d3ad5f4fa00f4999a2170189eb747368e41c2cf41302e476c39861876512d9f8d355b0203010001
5. C&C Communication
The malware creates a 60-byte structure and organizes 12 fields to exfiltrate the Config data and data stolen from the victim system. The value of each field is set differently depending on the purpose of the communication and the type of data to be transmitted, and the payload is located after the size_payload field. The configured data is XORed and Base64 encoded and sent to the C&C server through the HTTP protocol. The common structure for communication is shown in Figure 7, and the meaning of each field is described in Table 5.
After organizing the data to be sent into a structure, it performs an XOR operation followed by Base64 encoding using a hardcoded 4-byte key in the binary. The encoded result is sent to the C&C server in the format “a=[Encoded_Data]”.
The final stolen data is sent as follows:
Troll Stealer sends the “init” string in the payload to the C&C server only the first time it communicates, and only when it receives the “ok” string in response does it continue to leak the stolen data.
In this case, there are a total of four communications per exfiltration of configuration or stolen items: the first communication is to perform the ping function, and the second and third communications are sent with the same data in the payload. However, we can see that the value of the status_type field is configured differently. Finally, the fourth communication includes the stolen filename in the payload and sets the value of the send_type field to 5. Once the file is successfully sent to the C&C server, delete the encrypted file in the %appdata%local path.
6. Self-deletion
After executing the malware, it creates a PS1 file in the .tmp directory and runs it via the powershell.exe, which deletes Troll Stealer itself.
$target = {Stealer Path}
for ($i = 0; $i -lt 50; $i++)
{
Remove-Item $target -Force
Remove-Item $PSCommandPath -Force
if (!(Test-Path $target) -and !(Test-Path $PSCommandPath))
{
break
}
Start-Sleep -Seconds 2
}
S2W speculates that the Kimsuky group may be behind the distribution of this malware based on the group’s recent active use of Go-based malware and the similarity of the code to existing AppleSeed and AlphaSeed malware.
The path that the dropper malware drops Troll Stealer and the filename format it creates appear similar to the path and filename of AppleSeed, which was disclosed by ASEC.
In addition, the hardcoded commands it executes to collect infected system information are identical to those found in the AppleSeed malware discovered in May 2023. However, in the case of the recently discovered malware, two additional commands were added to obtain information about the user’s accounts and sessions.
In addition, the same type of mutexes identified in the Troll Stealer Dropper malware were found in both AppleSeed Dropper and Meterpreter, which have been used by the Kimsuky group in the past.
Troll Stealer then compresses the folder where the stolen files are stored and encrypts them using RSA and RC4 algorithms. We found that the combniation and the encryption execution flow are the same as those used by AlphaSeed.
Furthermore, the Go language library used to capture the victim system’s desktop screen was identified as the same kbinani package also used by AlphaSeed.
In addition to the Troll Stealer, another Go language-based backdoor malware signed with a legitimate “D2innovation Co.,LTD certificate” was also found.
The malware performs malicious behaviors based on the commands it receives from the C&C server, and the strings contained in the names of the functions it calls have been found to overlap with the commands used by BetaSeed, a C++-based backdoor malware used by the Kimsuky group. The DLL version of BetaSeed also steals information from the victim system and performs additional malicious actions based on the commands it receives from the C&C server.
However, the 2 malware were separated into different types because they were written in different languages and there were no similarities in the code other than the strings in the function names.
It is noteworthy that GoBear adds SOCKS5 proxy functionality, which was not previously supported by the Kimsuky group’s backdoor malware. Furthermore, the fact that the mutex used in the previous AppleSeed malware was reused after two years without being updated suggests that the author of the Troll Stealer malware based on AppleSeed may have made a mistake.
Dropper
Backdoor (GoBear)
Troll Stealer
in
—
in
—
in
—
in
—
—
—
—
in
—
in
—
—