AppleSeed Being Distributed to Maintenance Company of Military Bases

The ASEC analysis team has recently discovered a case of AppleSeed being distributed to a certain maintenance company of military bases. AppleSeed is a backdoor malware mainly used by the Kimsuky group and is actively being distributed to multiple attack targets as of late.

In this case, the malware was distributed with a file under the name of a military base.

  • 20220713_**** base_installation planned dateV004_*** edited_6.xls
Figure 1. Malware file

AppleSeed was distributed as an Excel file (XLS) and protected with a password to bypass anti-malware software.

When opening the XLS file, users are prompted to enable the external content as in Figure 2. Clicking the Enable Content button will open the macro-enabled content as in Figure 3.

Figure 2. XLS file (before enabling macros)

Figure 3. XLS file (after enabling macros)

The macro hides the information that prompts the user to enable content to display the original file. It then uses mshta to download and run additional scripts from a C2.

Figure 4. Malicious macro inside the file

The scripts contain a routine for downloading and executing AppleSeed, which is saved in the following path.

  • Path: %ProgramData%\Software\ControlSet\Service\ServiceScheduler.dll
  • Execution Argument: regsvr32.exe /s /n /i:12345QWERTY [AppleSeed path]

When AppleSeed is run, it can continuously receive commands from the C2 server to download and run additional modules or perform behaviors that the attacker wants. For a detailed analysis of AppleSeed, click the link.

The Kimsuky group which mainly employs AppleSeed is attempting various methods to increase their chance of attack success. Users should take caution not to run attachments of emails sent from unknown sources and only enable macros from reliable sources.

AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.

Figure 5. Detection and blocking malicious files by V3

[File Detection]
Downloader/XSL.Kimsuky
Backdoor/Win.AppleSeed.R504704

[IOC Info]
1ac5b803205b1c3464941df2c21958e7
a3786f14c85842861aa3493ec30be949
hxxp://hime.dothome.co[.]kr/exchange/
hxxp://sign.dothome.co[.]kr/login/

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

TAGGED AS:APPLESEED, APT, ASECBACKDOOR, MALWARE, KIMSUKY

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments