Appleseed Being Distributed to Nuclear Power Plant-Related Companies

Malware Analysis
1

The ASEC analysis team has recently discovered a case of AppleSeed being distributed to nuclear power plant-related companies. AppleSeed is a backdoor malware used by Kimsuky, one of the organizations affiliated with North Korea, and this malware is being actively distributed to many companies.

AppleSeed Disguised as Purchase Order and Request Form Being Distributed

The filenames of the AppleSeed dropper were identified by the ASEC analysis team as follows, and a double file extension was used to deceive users.

  • 노**.xls.vbs (Noh**.xls.vbs)
  • 배치도_고리2호기ISI.pdf.vbs (Layout_KoriNo2ISI.pdf.vbs)
Figure 1. AppleSeed dropper file

When the file is executed, the encoded data inside is decoded and each file is created in the paths below.

  • [The same path as the vbs file]\Noh**.xls (Normal Excel bait file)
  • %ProgramData%\qijWq.rSCKPC.b64 (Malicious PE file encoded in a certain format)
  • %ProgramData%\qijWq.rSCKPC.bat (Batch file that decodes the qijWq.rSCKPC.b64 file)

The printed Excel file is automatically opened, making it seem as if the user has opened a normal Excel document. The Excel bait file contains texts related to nuclear power plants (See Figure 2).

Figure 2. Details of the bait file

In the background, the qijWq.rSCKPC.bat file in the %ProgramData% path is executed, which decodes qijWq.rSCKPC.b64, ultimately creating the qijWq.rSCKPC file (DLL PE).

Figure 3. Dropping malware

Afterward, the dropped malware is executed via regsvr32, a program that executes DLL files. The exact execution argument is as follows.

  • regsvr32 /s /i:123579ASDFG C:\ProgramData\qijWq.rSCKPC

After the file is executed, the malware accesses the C2 below to receive and carry out the commands. Then, it encodes the results in a certain format to transmit to C2.

  • C2 : hxxp://ndt.info[.]gf/index.php
  • Commands
    • die: Terminate
    • getinfo: PC information
    • where: Currently running path
    • run: Executes certain files or commands
Figure 4. Information transmitted to the server when the getinfo command is executed

The attacker can use the run command to execute desired behaviors, as well as download and execute additional malware files such as AppleSeed.

Because the bait file is also run, users normally cannot recognize that their systems are infected by malware. As the files mentioned above mainly target certain companies, users should refrain from running attachments in emails sent from unknown sources.

AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.

Figure 5. Detection using the V3 product

[File Detection]
Dropper/VBS.Generic.SC183898
Dropper/Win.AppleSeed.R531012
Dropper/VBS.VBS

[IOC Info]
55a9a935b36da90fb5a7ab814d567a40
ba83312ea92c284c710bcc0906a29fb1
hxxp://ndt.info[.]gf/index.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post <strong>Appleseed Being Distributed to Nuclear Power Plant-Related Companies</strong> appeared first on ASEC BLOG.

Article Link: Appleseed Being Distributed to Nuclear Power Plant-Related Companies - ASEC BLOG