Troll Stealer Detection: Novel Malware Actively Leveraged by North Korean Kimsuky APT

The infamous North Korean state-sponsored hacking group Kimsuky APT has been spotted leveraging a newly discovered Golang-based information stealer tracked as Troll Stealer along with GoBear malware strains in recent attacks against South Korea. The novel malware is capable of stealing user data, network-related data, system information, and other types of data from compromised systems.

Detect Kimsuky Attacks Using Troll Stealer & GoBear Malware

The year 2023 has been marked by the increasing activity of advanced persistent threat (APT) groups, being a wake-up call for cyber defenders that the world is standing on the brink of a global cyber war. With North Korea-backed threat actors being among the most active and nefarious groups, organizations require advanced cybersecurity tools to cope with the escalating volumes of attacks. 

To detect the latest Kimsuky campaign leveraging Troll Stealer and GoBear backdoor to target organizations in South Korea, SOC Prime Platform aggregates a set of curated detection algorithms compatible with 28 SIEM, EDR, XDR, and Data Lake solutions. All the rules are mapped to MITRE ATT&CK v14.1 and accompanied with extensive metadata, including CTI links, ATT&CK references, triage recommendations, and more. 

Just press the Explore Detections button below and drill down to a dedicated detection stack helping to identify possible Troll Stealer attacks. 

Explore Detections

To help security practitioners stay ahead of attacks posed by Kimsuky APT, SOC Prime Platform aggregates a broader selection of rules covering malicious activity associated with threat actor in the limelight. Just search Threat Detection Marketplace by “Kimsuky” tag based on the group identifier or follow this link.

Kimsuky APT Latest Attack Analysis

Nation-backed North Korean hacking groups, like Lazarus APT or APT37, have been causing a stir in the cyber threat arena for at least half a decade. S2W has recently issued research into a newly discovered malicious sample, which is believed to be linked to another infamous North Korean group known as Kimsuky.

Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald, STOLEN PENCIL, Thallium, or Velvet Chollima, has been operating since 2013, primarily targeting South Korea. In late January 2022, they applied open-source RATs and a custom Gold Dragon backdoor to hit South Korean organizations. The backdoor was used to download an xRAT tool for manually extracting data from the compromised system.

In the latest attack, Kimsucky employed a malicious dropper file masquerading as a legitimate security software installer from the South Korean company, SGA Solutions, to deploy Troll Stealer intended for data exfiltration. Notably, the dropper operates as a legitimate installer, accompanying the malware, and both components are signed with a legitimate certificate from D2Innovation Co., Ltd., implying that the company’s certificate should have been stolen by adversaries. The Troll Stealer’s capability to steal South Korean government-issued GPKI certificates from affected systems indicates that malware might be potentially used to target South Korean public sector organizations. 

Security researchers also link the most recent Kimsuky activity to the use of the GoBear backdoor, which shares a similar certificate and applies identical commands used by BetaSeed malware from the group’s adversary toolkit. Notably, GoBear introduced SOCKS5 proxy functionality, which previously hadn’t been linked to Kimsuky’s backdoor malware capabilities. 

With the increasing risks of the latest Kimsuky’s attacks posing a potential threat to South Korean organizations in multiple industry sectors, including government entities, defenders are looking for ways to implement preemptive cybersecurity strategies to timely thwart targeted APT attacks. Browse SOC Prime to reach 500+ detection algorithms against diverse APT attacks for proactive cyber defense.