Recent attacks by North Korean state-sponsored hacking group Kimsuky, also known as APT43, Emerald Sleet, and Velvet Chollima, have involved the novel Go-based Troll Stealer and GoBear malware strains, The Hacker News reports.
Kimsuky leveraged a malicious dropper file impersonating a security program installer from South Korean firm SGA Solutions to facilitate the deployment of Troll Stealer, which exfiltrates SSH, browser, and system information, a report from S2W revealed. South Korean government-issued GPKI certificates have also been stolen by the malware that had been signed with a legitimate certificate from D2Innovation Co., indicating that it may have been targeted at public and administrative organizations across the country.
The findings also associated Kimsuky with the GoBear backdoor, which used a similar certificate and had commands overlapping with the group's BetaSeed malware.
"It is noteworthy that GoBear adds SOCKS5 proxy functionality, which was not previously supported by the Kimsuky group's backdoor malware," said S2W.