AppleSeed Disguised as Purchase Order and Request Form Being Distributed

The ASEC analysis team has recently discovered the distribution of AppleSeed disguised as purchase orders and request forms. AppleSeed is a backdoor malware mainly used by the Kimsuky group. It stays in the system and performs malicious behaviors by receiving commands from attackers.

The malware is currently being distributed under the following filenames.

  • Purchase order-**-2022****-001-National Tax Service additionally implementing security sensors in 5 regional tax offices_***.jse
  • Request form(general manager ***).jse

The JSE (JScript Encoded File) file consists of JavaScript, and when it is run, it drops AppleSeed backdoor file (DLL file) and the purchase order PDF file that acts as bait in the %ProgramData% path. After then, PDF file is automatically run (see Figure 2).

Figure 1. Dropping malware and PDF file used as bait

Figure 2. Details of PDF file

The file uses regsvr32.exe to decode and run the backdoor file (area shaded with purple) and mshta.exe to download and run additional scripts (area shaded with red).

Figure 3. Running AppleSeed and downloading additional scripts

When the scripts are run, the following information is stolen and sent to the C2.

  • Basic information of the PC (PC name, OS version, processor, and memory)
  • User account credentials
  • Network information (IP address, routing table, port usage information, and ARP list)
  • List of running processes and services
  • Folders and files within ProgramFiles / Programs within the Start menu / List of recent files
Figure 4. Information stolen using additionally downloaded scripts

The AppleSeed backdoor file continuously receives commands from the C2 server to download and run additional modules, or perform behaviors that the attacker wishes to perform. For a detailed analysis of AppleSeed, refer to the following link.

The figure below shows the overall process tree after the scripts are run.

Figure 5. Process tree

Because the bait file is also run, users normally cannot recognize that their systems are infected by malware. As the files mentioned above mainly target certain companies, users should refrain from running attachments in emails sent from unknown sources.

AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.

Figure 6. Detection and blocking by V3

[File Detection]

[IOC Info]
hxxp://dirwear.000webhostapp[.]com (C2 for stealing information)
hxxp://gerter.getenjoyment[.]net (C2 for AppleSeed backdoor file)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments

[…] AppleSeed Disguised as Purchase Order and Request Form Being Distributed […]


[…] AppleSeed Disguised as Purchase Order and Request Form Being Distributed […]


[…] Kimsuky group’s attack cases. The ASEC blog also covers various attack cases using AppleSeed. [5] [6] [7] AppleSeed supports various features such as executing the threat actor’s commands from […]