Hackers are particularly good at stealing GPKI certificates from their southern neighbors.
A recent report by the South Korean company S2W revealed a new type of malicious software based on the Golang language, called Troll Stealer. This tool, which is linked to the activities of the North Korean group Kimsuky, specializes in extracting confidential data from victims computers. The stolen information includes SSH and FileZilla data, the contents of the C drive, data from browsers, system information, and screenshots.
The connection between Troll Stealer and Kimsuky was established based on similarities with other developments of this group — AppleSeed and AlphaSeed.
Kimsuky itself is known by many names, including APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Nickel Kimball, and Velvet Chollima. It has long been the focus of experts attention, conducting sophisticated cyber operations to gather intelligence on behalf of North Korea. Their main focus is government secrets, commercial and financial information, as well as data related to security and defense.
In November 2023, sanctions were imposed against Kimsuky by the US Treasury's Office of Foreign Assets Control.
According to S2W, Troll Stealer is distributed using a dropper disguised as a software installer from the South Korean company SGA Solutions. Interestingly, the dropper works in parallel with the malware itself, and both files are signed with a valid certificate from D2Innovation Co., LTD. The certificate was probably compromised.
The ability to steal GPKI certificates issued by the South Korean government is a hallmark of Troll Stealer. GPKI represent digital identity cards for the use of electronic government services. Since Kimsuky has never been seen doing this before, this indicates either a change of tactics, or that another closely related hacker group has gained access to the source code of Kimsuky's malicious software.
The second version is supported by the detection of signs of communication between Kimsuky and the GoBear backdoor, which also uses the stolen D2Innovation certificate. GoBear's functionality overlaps with another Kimsuky backdoor, BetaSeed. However, GoBear, unlike previous developments of the group, supports SOCKS5 proxying technology.
A recent report by the South Korean company S2W revealed a new type of malicious software based on the Golang language, called Troll Stealer. This tool, which is linked to the activities of the North Korean group Kimsuky, specializes in extracting confidential data from victims computers. The stolen information includes SSH and FileZilla data, the contents of the C drive, data from browsers, system information, and screenshots.
The connection between Troll Stealer and Kimsuky was established based on similarities with other developments of this group — AppleSeed and AlphaSeed.
Kimsuky itself is known by many names, including APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Nickel Kimball, and Velvet Chollima. It has long been the focus of experts attention, conducting sophisticated cyber operations to gather intelligence on behalf of North Korea. Their main focus is government secrets, commercial and financial information, as well as data related to security and defense.
In November 2023, sanctions were imposed against Kimsuky by the US Treasury's Office of Foreign Assets Control.
According to S2W, Troll Stealer is distributed using a dropper disguised as a software installer from the South Korean company SGA Solutions. Interestingly, the dropper works in parallel with the malware itself, and both files are signed with a valid certificate from D2Innovation Co., LTD. The certificate was probably compromised.
The ability to steal GPKI certificates issued by the South Korean government is a hallmark of Troll Stealer. GPKI represent digital identity cards for the use of electronic government services. Since Kimsuky has never been seen doing this before, this indicates either a change of tactics, or that another closely related hacker group has gained access to the source code of Kimsuky's malicious software.
The second version is supported by the detection of signs of communication between Kimsuky and the GoBear backdoor, which also uses the stolen D2Innovation certificate. GoBear's functionality overlaps with another Kimsuky backdoor, BetaSeed. However, GoBear, unlike previous developments of the group, supports SOCKS5 proxying technology.
