Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Troll Stealer

Troll Stealer is an information stealer written in Go associated with Kimsuky operations. Troll Stealer has typically been delivered through a dropper disguised as a legitimate security program installation file. Troll Stealer features code similar to AppleSeed, also uniquely associated with Kimsuky operations.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)
ID: S1196
Type: MALWARE
Platforms: Windows
Created: 17 Jan 2025
Last Modified: 24 Mar 2025

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Troll Stealer uses HTTP to communicate to command and control infrastructure.(Citation: S2W Troll Stealer 2024)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Troll Stealer creates and executes a PowerShell script to delete itself.(Citation: S2W Troll Stealer 2024)

.003 Command and Scripting Interpreter: Windows Command Shell

Troll Stealer can create and execute Windows batch scripts.(Citation: S2W Troll Stealer 2024)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Troll Stealer performs XOR encryption and Base64 encoding of data prior to sending to command and control infrastructure.(Citation: S2W Troll Stealer 2024)

Enterprise T1074 .001 Data Staged: Local Data Staging

Troll Stealer encrypts gathered information on victim devices prior to exfiltrating it through command and control infrastructure.(Citation: S2W Troll Stealer 2024)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Troll Stealer encrypts data sent to command and control infrastructure using a combination of RC4 and RSA-4096 algorithms.(Citation: S2W Troll Stealer 2024)

Enterprise T1480 .002 Execution Guardrails: Mutual Exclusion

Troll Stealer creates a mutex during installation to prevent duplicate execution.(Citation: S2W Troll Stealer 2024)

Enterprise T1070 .004 Indicator Removal: File Deletion

Troll Stealer creates and can execute a BAT script that will delete the malware.(Citation: S2W Troll Stealer 2024)

Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Troll Stealer is typically installed via a dropper file that masquerades as a legitimate security program installation file.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Troll Stealer has been delivered as a VMProtect-packed binary.(Citation: S2W Troll Stealer 2024)(Citation: ASEC Troll Stealer 2024)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Troll Stealer, along with its associated dropper, utilizes legitimate, stolen code signing certificates.(Citation: S2W Troll Stealer 2024)(Citation: ASEC Troll Stealer 2024)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Troll Stealer is dropped as a DLL file and executed via `rundll32.exe` by its installer.(Citation: S2W Troll Stealer 2024)(Citation: ASEC Troll Stealer 2024)

Enterprise T1552 .004 Unsecured Credentials: Private Keys

Troll Stealer collects all data in victim `.ssh` folders by creating a compressed copy that is subsequently exfiltrated to command and control infrastructure. Troll Stealer also collects key information associated with the Government Public Key Infrastructure (GPKI) service for South Korean government information systems.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)

Groups That Use This Software

ID Name References
G0094 Kimsuky

(Citation: ASEC Troll Stealer 2024) (Citation: S2W Troll Stealer 2024) (Citation: Symantec Troll Stealer 2024)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.