AppleSeed Disguised as Purchase Order and Request Form Being Distributed

The ASEC analysis team has recently discovered the distribution of AppleSeed disguised as purchase orders and request forms. AppleSeed is a backdoor malware mainly used by the Kimsuky group. It stays in the system and performs malicious behaviors by receiving commands from attackers.

The malware is currently being distributed under the following filenames.

  • Purchase order-**-2022****-001-National Tax Service additionally implementing security sensors in 5 regional tax offices_***.jse
  • Request form(general manager ***).jse

The JSE (JScript Encoded File) file consists of JavaScript, and when it is run, it drops AppleSeed backdoor file (DLL file) and the purchase order PDF file that acts as bait in the %ProgramData% path. After then, PDF file is automatically run (see Figure 2).

Figure 1. Dropping malware and PDF file used as bait

Figure 2. Details of PDF file

The file uses regsvr32.exe to decode and run the backdoor file (area shaded with purple) and mshta.exe to download and run additional scripts (area shaded with red).

Figure 3. Running AppleSeed and downloading additional scripts

When the scripts are run, the following information is stolen and sent to the C2.

  • Basic information of the PC (PC name, OS version, processor, and memory)
  • User account credentials
  • Network information (IP address, routing table, port usage information, and ARP list)
  • List of running processes and services
  • Folders and files within ProgramFiles / Programs within the Start menu / List of recent files
Figure 4. Information stolen using additionally downloaded scripts

The AppleSeed backdoor file continuously receives commands from the C2 server to download and run additional modules, or perform behaviors that the attacker wishes to perform. For a detailed analysis of AppleSeed, refer to the following link.

The figure below shows the overall process tree after the scripts are run.

Figure 5. Process tree

Because the bait file is also run, users normally cannot recognize that their systems are infected by malware. As the files mentioned above mainly target certain companies, users should refrain from running attachments in emails sent from unknown sources.

AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.

Figure 6. Detection and blocking by V3

[File Detection]
Dropper/JS.Generic
Backdoor/Win.AppleSeed.R499775

[IOC Info]
7d445b39a090b486aaa002b282b4d8cb
67e7e8600a57e9430a43bf8c5f98c6bd
ec9dcef04c5c89d6107d23b0668cc1c1
1ae2e46aac55e7f92c72b56b387bc945
hxxp://dirwear.000webhostapp[.]com (C2 for stealing information)
hxxp://gerter.getenjoyment[.]net (C2 for AppleSeed backdoor file)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:, , ,

5 1 vote
Article Rating
guest

2 Comments
Inline Feedbacks
View all comments
trackback

[…] AppleSeed Disguised as Purchase Order and Request Form Being Distributed […]

trackback

[…] AppleSeed Disguised as Purchase Order and Request Form Being Distributed […]