Kimsuky Group Using Weaponized file Deploy AppleSeed Malware


Hackers use weaponized LNK files to exploit vulnerabilities in Windows operating systems. These files often contain malicious code that can be executed when the user clicks on the shortcut.

These weaponized files allow threat actors to perform several types of malicious activities like:-

  • Gain unauthorized access
  • Deliver malware
  • Deliver malicious payload

Recently, cybersecurity researchers at ASEC identified that the Kimsuky group has been actively using the weaponized LNK file to deploy AppleSeed malware.

LNK File to Deploy AppleSeed Malware

Kimsuky, backed by North Korea, has been active since 2013. Initially, this group hit South Korean research institutes and later targeted a South Korean energy corporation in 2014. 

This sophisticated group expanded its attack surface globally in 2017, and it specializes in spear phishing against:-

  • Defense
  • Industries
  • Media
  • Diplomacy
  • Organizations
  • Academia

The primary goal of this group is to steal internal info and technologies. The operators of this group prefer LNK malware but also use:-

  • JavaScript macros
  • Excel macros

It’s persistent in the use of AppleSeed, with recent variations like AlphaSeed, and not only that even it also maintains consistency in Infostealer and RDP Patch malware since 2022. 

Apart from this, it notably switched from RDP to Chrome Remote Desktop for better control with minimal changes to methods.

AppleSeed is controlled by threat actors and often distributed through a JavaScript dropper. It installs in disguised paths like “%APPDATA%” or “%PROGRAMDATA%,” appearing as legitimate programs. 

AlphaSeed, a Golang malware similar to AppleSeed, uses ChromeDP for C&C communication and different login methods. Kimsuky group combines AppleSeed and AlphaSeed, sometimes installing them together. 

Metasploit is a penetration testing framework that includes Meterpreter, which is also a backdoor used by Kimsuky. They also employ the following VNC malware:-

For verification, the “TinyNuke,” a banking malware that features HVNC used by Kimsuky, employs strings like “AVE_MARIA,” and the Kimsuky group has been using these tactics since at least 2022.

Kimsuky threat group targets South Korea with constant spear phishing, sending malware as email attachments, and running these files gives them control over the targeted system.

Recommendations

Cybersecurity researchers urged users to follow the following recommendations:-

  • Beware of unknown senders
  • Avoid random files 
  • Keep the OS updated
  • Make sure to update the browsers
  • Keep the V3 updated for the prevention

IOCs

MD5

  • db5fc5cf50f8c1e19141eb238e57658c : AppleSeed (%APPDATA%AbodeServiceAdobeService.dll
  • 6a968fd1608bca7255c329a0701dbf58 : AppleSeed (%APPDATA%AbodeServiceAdobeService.dll)
  • cafc26b215550521a12b38de38fa802b : AppleSeed (%APPDATA%AbodeServiceAdobeService.dll)
  • 76831271eb117b77a57869c80bfd6ba6 : AppleSeed (%APPDATA%FoxitReaderServiceFoxitReaderUpdate.db)
  • b5d3e0c3c470d2d41967229e17259c87 : AppleSeed (%APPDATA%chromeServiceupdategoogle.dll)
  • 4511e57ae1eacdf1c2922bf1a94bfb8d : AppleSeed (%APPDATA%EastSoftControlServiceEastSoftUpdate.dll)
  • 02843206001cd952472abf5ae2b981b2 : AppleSeed (%APPDATA%FoxitReaderServiceFoxitReaderUpdate.db)
  • 8aeacd58d371f57774e63d217b6b6f98 : AppleSeed (%APPDATA%AcrobatreaderServiceAcrobatReaderUpdate.db)
  • cacf04cd560b70eaaf0e75f3da9a5e8f : AppleSeed (%APPDATA%ProtectSoftUpdateServiceProtectSoftUpdate.db)
  • 7a7937f8d4dcb335e96db05b2fb64a1b : AppleSeed (%APPDATA%AbodeServiceAdobeService.dll)
  • f3a55d49562e41c7d339fb52457513ba : AppleSeed (%APPDATA%FoxitReaderServiceFoxitReaderUpdate.db)
  • 5d3ab2baacf2ad986ed7542eeabf3dab : AppleSeed Dropper
  • d4ad31f316dc4ca0e7170109174827cf : AppleSeed Dropper
  • 1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf : AppleSeed Dropper
  • ae9593c0c80e55ff49c28e28bf8bc887 : AppleSeed Dropper
  • b6f17d59f38aba69d6da55ce36406729 : AppleSeed Dropper
  • 153383634ee35b7db6ab59cde68bf526 : AppleSeed Dropper
  • c560d3371a16ef17dd79412f6ea99d3a : AppleSeed Dropper
  • 0cce02d2d835a996ad5dfc0406b44b01 : AppleSeed Dropper
  • d94c6323c3f77965451c0b7ebeb32e13 : AlphaSeed (%USERPROFILE%.edgeedgemgmt.dat)
  • 52ff761212eeaadcd3a95a1f8cce4030 : AlphaSeed (%USERPROFILE%.edgeedgemgmt.dat)
  • 4cb843f2a5b6ed7e806c69e6c25a1025 : AlphaSeed (%USERPROFILE%.edgeedgemgmt.dat)
  • b6ab96dc4778c6704b6def5db448a020 : AlphaSeed (%USERPROFILE%.edgeedgemgmt.dat)
  • 232046aff635f1a5d81e415ef64649b7 : Meterpreter (%PROGRAMDATA%setting.dat)
  • 58fafabd6ae8360c9d604cd314a27159 : Meterpreter (%SystemRoot%system32setting.db)
  • e582bd909800e87952eb1f206a279e47 : Meterpreter (%SystemRoot%system32service.db)
  • ac99b5c1d66b5f0ddb4423c627ca8333 : Meterpreter
  • e34669d56a13d607da1f76618eb4b27e : TinyNuke (HVNC)
  • ee76638004c68cfc34ff1fea2a7565a7 : TightVNC

C&C URL

  • hxxp://bitburny.kro[.]kr/aha/ : AppleSeed
  • hxxp://bitthum.kro[.]kr/hu/ : AppleSeed
  • hxxp://doma2.o-r[.]kr// : AppleSeed
  • hxxp://my.topton.r-e[.]kr/address/ : AppleSeed
  • hxxp://nobtwoseb1.n-e[.]kr// : AppleSeed
  • hxxp://octseven1.p-e[.]kr// : AppleSeed
  • hxxp://tehyeran1.r-e[.]kr// : AppleSeed
  • hxxp://update.ahnlaib.kro[.]kr/aha/ : AppleSeed
  • hxxp://update.doumi.kro[.]kr/aha/ : AppleSeed
  • hxxp://update.onedrive.p-e[.]kr/aha/ : AppleSeed
  • hxxp://yes24.r-e[.]kr/aha/ : AppleSeed
  • 104.168.145[.]83:993 : Meterpreter
  • 159.100.6[.]137:993 : Meterpreter
  • 38.110.1[.]69:993 : Meterpreter
  • 107.148.71[.]88:993 : Meterpreter
  • 45.114.129[.]138:33890 : TinyNuke (HVNC)
  • 45.114.129[.]138:5500 : TightVNC



Source link