S1196 Troll Stealer
Troll Stealer is an information stealer written in Go associated with Kimsuky operations. Troll Stealer has typically been delivered through a dropper disguised as a legitimate security program installation file. Troll Stealer features code similar to AppleSeed, also uniquely associated with Kimsuky operations.12
| Item | Value |
|---|---|
| ID | S1196 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 17 January 2025 |
| Last Modified | 24 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Troll Stealer uses HTTP to communicate to command and control infrastructure.1 |
| enterprise | T1560 | Archive Collected Data | Troll Stealer compresses stolen data prior to exfiltration.1 |
| enterprise | T1217 | Browser Information Discovery | Troll Stealer collects information from Chromium-based browsers and Firefox such as cookies, history, downloads, and extensions.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Troll Stealer creates and executes a PowerShell script to delete itself.1 |
| enterprise | T1059.003 | Windows Command Shell | Troll Stealer can create and execute Windows batch scripts.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Troll Stealer performs XOR encryption and Base64 encoding of data prior to sending to command and control infrastructure.1 |
| enterprise | T1213 | Data from Information Repositories | Troll Stealer gathers information from the Government Public Key Infrastructure (GPKI) folder, associated with South Korean government public key infrastructure, on infected systems.12 |
| enterprise | T1005 | Data from Local System | Troll Stealer gathers information from infected systems such as SSH information from the victim’s .ssh directory.2 Troll Stealer collects information from local FileZilla installations and Microsoft Sticky Note.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Troll Stealer encrypts gathered information on victim devices prior to exfiltrating it through command and control infrastructure.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Troll Stealer encrypts data sent to command and control infrastructure using a combination of RC4 and RSA-4096 algorithms.1 |
| enterprise | T1480 | Execution Guardrails | - |
| enterprise | T1480.002 | Mutual Exclusion | Troll Stealer creates a mutex during installation to prevent duplicate execution.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Troll Stealer exfiltrates collected information to its command and control infrastructure.1 |
| enterprise | T1083 | File and Directory Discovery | Troll Stealer can enumerate and collect items from local drives and folders.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Troll Stealer creates and can execute a BAT script that will delete the malware.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | Troll Stealer is typically installed via a dropper file that masquerades as a legitimate security program installation file.12 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | Troll Stealer has been delivered as a VMProtect-packed binary.13 |
| enterprise | T1113 | Screen Capture | Troll Stealer can capture screenshots from victim machines.12 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Troll Stealer, along with its associated dropper, utilizes legitimate, stolen code signing certificates.13 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | Troll Stealer is dropped as a DLL file and executed via rundll32.exe by its installer.13 |
| enterprise | T1082 | System Information Discovery | Troll Stealer can collect local system information.12 |
| enterprise | T1016 | System Network Configuration Discovery | Troll Stealer collects the MAC address of victim devices.1 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.004 | Private Keys | Troll Stealer collects all data in victim .ssh folders by creating a compressed copy that is subsequently exfiltrated to command and control infrastructure. Troll Stealer also collects key information associated with the Government Public Key Infrastructure (GPKI) service for South Korean government information systems.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0094 | Kimsuky | Troll Stealer is exclusively linked to Kimsuky operations.123 |
References
-
Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025. ↩↩↩↩↩↩↩↩↩
-
AhnLab ASEC. (2024, February 16). TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group). Retrieved January 17, 2025. ↩↩↩↩