On May 26th, the ASEC analysis team discovered the distribution of AppleSeed disguised as a Wi-Fi router firmware installer. Previously discovered AppleSeed strains were mainly distributed by disguising themselves as normal document or image files. The dropper malware that creates AppleSeed either used script formats such as JS (Java Script) and VBS (Visual Basic Script), or had a pif extension to disguise itself as a document file that works as .exe file. For this case, it used the icon and filename that is the same as that of installer (see Figure 1 below).
- Filename: firmware upgrade installer.exe
When the installer is run, it hides its true identity by popping up a message box for installing firmware upgrade for a certain Wi-Fi router (the firmware in Figure 2 is not related to AppleSeed). Previous AppleSeed strains disguised as document files showed documents and image files to make users believe they have opened a document or an image.
Clicking the OK button on the pop-up have the installer internally deliver “iptime.com” as an API parameter to the “ShellExecuteExW” API, giving the impression that the firmware is being updated normally and accessing the manufacturer’s website.
The moment the user accesses the website, the user’s PC is infected with AppleSeed. AppleSeed is a backdoor malware that can receive commands from the C&C and perform various malicious behaviors such as stealing information and creating additional malware strains. According to analysis results of similar cases, it is found that the attacker mainly installed malware types for remote controlling: RDP Patcher, HVNC, TightVNC, and additionally installed Metasploit Meterpreter on user’s PC.
AppleSeed operates in certain paths while disguising itself as a normal program as shown below. AhnLab’s ASD log indicates that the attacker installs another AppleSeed to the system.
- AppleSeed Installation Path (1): %ALLUSERSPROFILE%\Firmware\Microsoft\Windows\Defender\AutoUpdate.dll
- AppleSeed Installation Path (2): %ALLUSERSPROFILE%\Software\ControlSet\Service\ServiceScheduler.dll
The recently discovered AppleSeed strains have Anti-Sandbox feature included. As they include malicious routines in the DllInstall() function, it needs the /s option as well as the /i option to receive and match additional arguments to operate normally as shown below.
- AppleSeed Operation Method and Command Line Option (1): regsvr32.exe /s C:\ProgramData\Firmware\Microsoft\Windows\Defender\AutoUpdate.dll
- AppleSeed Operation Method and Command Line Option (2): regsvr32.exe /s /n /i:123qweASDTYU C:\ProgramData\Software\ControlSet\Service\ServiceScheduler.dll
AppleSeed is a backdoor malware mainly used by the Kimsuky group for its APT attacks. The following ASEC blog lists a detailed analysis report for the malware type.
Instead of being distributed individually, the malware is often distributed along with bait files to make it difficult for users to realize their system has been infected. Since it is mostly distributed by spear-phishing emails, users should take caution and refrain from opening attachments sent from unknown users.
(1) firmware upgrade installer.exe (39b39ca9cbf9b271590d06dfc68a68b7)
– Dropper/Win.AppleSeed.C5150014 (2022.05.30.02)
(2) firmware upgrade installer.exe (851e33373114fef45d0fe28c6934fa73)
– Dropper/Win.AppleSeed.C5145023 (2022.05.27.02)
(3) wmi-ui-99bbc08f.db (9ac572bdca96a833a40edcaa91e04c2b)
– Backdoor/Win.AppleSeed.C5145022 (2022.05.30.02)
(4) asd.dat (6b10482c939fc33c3a45a17f021df32b), ServiceScheduler.dll (c99f6d1c7c0d55ce1453dd08c87ee2b4)
– Backdoor/Win.AppleSeed.C5145020 (2022.05.27.02)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.