{"description": "Enterprise techniques used by Troll Stealer, ATT&CK software S1196 (v1.0)", "name": "Troll Stealer (S1196)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) uses HTTP to communicate to command and control infrastructure.(Citation: S2W Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) compresses stolen data prior to exfiltration.(Citation: S2W Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1217", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) collects information from Chromium-based browsers and Firefox such as cookies, history, downloads, and extensions.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) creates and executes a PowerShell script to delete itself.(Citation: S2W Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) can create and execute Windows batch scripts.(Citation: S2W Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) performs XOR encryption and Base64 encoding of data prior to sending to command and control infrastructure.(Citation: S2W Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) gathers information from the Government Public Key Infrastructure (GPKI) folder, associated with South Korean government public key infrastructure, on infected systems.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1005", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) gathers information from infected systems such as SSH information from the victim's `.ssh` directory.(Citation: Symantec Troll Stealer 2024) [Troll Stealer](https://attack.mitre.org/software/S1196) collects information from local FileZilla installations and Microsoft Sticky Note.(Citation: S2W Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) encrypts gathered information on victim devices prior to exfiltrating it through command and control infrastructure.(Citation: S2W Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) encrypts data sent to command and control infrastructure using a combination of RC4 and RSA-4096 algorithms.(Citation: S2W Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) creates a mutex during installation to prevent duplicate execution.(Citation: S2W Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) exfiltrates collected information to its command and control infrastructure.(Citation: S2W Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) can enumerate and collect items from local drives and folders.(Citation: S2W Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) creates and can execute a BAT script that will delete the malware.(Citation: S2W Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) is typically installed via a dropper file that masquerades as a legitimate security program installation file.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) has been delivered as a VMProtect-packed binary.(Citation: S2W Troll Stealer 2024)(Citation: ASEC Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) can capture screenshots from victim machines.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196), along with its associated dropper, utilizes legitimate, stolen code signing certificates.(Citation: S2W Troll Stealer 2024)(Citation: ASEC Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) is dropped as a DLL file and executed via `rundll32.exe` by its installer.(Citation: S2W Troll Stealer 2024)(Citation: ASEC Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) can collect local system information.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) collects the MAC address of victim devices.(Citation: S2W Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "[Troll Stealer](https://attack.mitre.org/software/S1196) collects all data in victim `.ssh` folders by creating a compressed copy that is subsequently exfiltrated to command and control infrastructure. [Troll Stealer](https://attack.mitre.org/software/S1196) also collects key information associated with the Government Public Key Infrastructure (GPKI) service for South Korean government information systems.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Troll Stealer", "color": "#66b1ff"}]}