The ASEC analysis team has recently discovered a case of AppleSeed being distributed to nuclear power plant-related companies. AppleSeed is a backdoor malware used by Kimsuky, one of the organizations affiliated with North Korea, and this malware is being actively distributed to many companies.
The filenames of the AppleSeed dropper were identified by the ASEC analysis team as follows, and a double file extension was used to deceive users.
- 노**.xls.vbs (Noh**.xls.vbs)
- 배치도_고리2호기ISI.pdf.vbs (Layout_KoriNo2ISI.pdf.vbs)

When the file is executed, the encoded data inside is decoded and each file is created in the paths below.
- [The same path as the vbs file]\Noh**.xls (Normal Excel bait file)
- %ProgramData%\qijWq.rSCKPC.b64 (Malicious PE file encoded in a certain format)
- %ProgramData%\qijWq.rSCKPC.bat (Batch file that decodes the qijWq.rSCKPC.b64 file)
The printed Excel file is automatically opened, making it seem as if the user has opened a normal Excel document. The Excel bait file contains texts related to nuclear power plants (See Figure 2).

In the background, the qijWq.rSCKPC.bat file in the %ProgramData% path is executed, which decodes qijWq.rSCKPC.b64, ultimately creating the qijWq.rSCKPC file (DLL PE).

Afterward, the dropped malware is executed via regsvr32, a program that executes DLL files. The exact execution argument is as follows.
- regsvr32 /s /i:123579ASDFG C:\ProgramData\qijWq.rSCKPC
After the file is executed, the malware accesses the C2 below to receive and carry out the commands. Then, it encodes the results in a certain format to transmit to C2.
- C2 : hxxp://ndt.info[.]gf/index.php
- Commands
- die: Terminate
- getinfo: PC information
- where: Currently running path
- run: Executes certain files or commands

The attacker can use the run command to execute desired behaviors, as well as download and execute additional malware files such as AppleSeed.
Because the bait file is also run, users normally cannot recognize that their systems are infected by malware. As the files mentioned above mainly target certain companies, users should refrain from running attachments in emails sent from unknown sources.
AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.

[File Detection]
Dropper/VBS.Generic.SC183898
Dropper/Win.AppleSeed.R531012
Dropper/VBS.VBS
[IOC Info]
55a9a935b36da90fb5a7ab814d567a40
ba83312ea92c284c710bcc0906a29fb1
hxxp://ndt.info[.]gf/index.php
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information