Troll Stealer
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Troll Stealer uses HTTP to communicate to command and control infrastructure.(Citation: S2W Troll Stealer 2024) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Troll Stealer creates and executes a PowerShell script to delete itself.(Citation: S2W Troll Stealer 2024) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Troll Stealer can create and execute Windows batch scripts.(Citation: S2W Troll Stealer 2024) |
||
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Troll Stealer performs XOR encryption and Base64 encoding of data prior to sending to command and control infrastructure.(Citation: S2W Troll Stealer 2024) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Troll Stealer encrypts gathered information on victim devices prior to exfiltrating it through command and control infrastructure.(Citation: S2W Troll Stealer 2024) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Troll Stealer encrypts data sent to command and control infrastructure using a combination of RC4 and RSA-4096 algorithms.(Citation: S2W Troll Stealer 2024) |
Enterprise | T1480 | .002 | Execution Guardrails: Mutual Exclusion |
Troll Stealer creates a mutex during installation to prevent duplicate execution.(Citation: S2W Troll Stealer 2024) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Troll Stealer creates and can execute a BAT script that will delete the malware.(Citation: S2W Troll Stealer 2024) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
Troll Stealer is typically installed via a dropper file that masquerades as a legitimate security program installation file.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Troll Stealer has been delivered as a VMProtect-packed binary.(Citation: S2W Troll Stealer 2024)(Citation: ASEC Troll Stealer 2024) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Troll Stealer, along with its associated dropper, utilizes legitimate, stolen code signing certificates.(Citation: S2W Troll Stealer 2024)(Citation: ASEC Troll Stealer 2024) |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
Troll Stealer is dropped as a DLL file and executed via `rundll32.exe` by its installer.(Citation: S2W Troll Stealer 2024)(Citation: ASEC Troll Stealer 2024) |
Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys |
Troll Stealer collects all data in victim `.ssh` folders by creating a compressed copy that is subsequently exfiltrated to command and control infrastructure. Troll Stealer also collects key information associated with the Government Public Key Infrastructure (GPKI) service for South Korean government information systems.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0094 | Kimsuky |
(Citation: ASEC Troll Stealer 2024) (Citation: S2W Troll Stealer 2024) (Citation: Symantec Troll Stealer 2024) |
References
- Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
- Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.
- AhnLab ASEC. (2024, February 16). TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group). Retrieved January 17, 2025.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.