The ASEC analysis team has recently discovered the distribution of AppleSeed disguised as purchase orders and request forms. AppleSeed is a backdoor malware mainly used by the Kimsuky group. It stays in the system and performs malicious behaviors by receiving commands from attackers.
The malware is currently being distributed under the following filenames.
- Purchase order-**-2022****-001-National Tax Service additionally implementing security sensors in 5 regional tax offices_***.jse
- Request form(general manager ***).jse
The file uses regsvr32.exe to decode and run the backdoor file (area shaded with purple) and mshta.exe to download and run additional scripts (area shaded with red).
When the scripts are run, the following information is stolen and sent to the C2.
- Basic information of the PC (PC name, OS version, processor, and memory)
- User account credentials
- Network information (IP address, routing table, port usage information, and ARP list)
- List of running processes and services
- Folders and files within ProgramFiles / Programs within the Start menu / List of recent files
The AppleSeed backdoor file continuously receives commands from the C2 server to download and run additional modules, or perform behaviors that the attacker wishes to perform. For a detailed analysis of AppleSeed, refer to the following link.
The figure below shows the overall process tree after the scripts are run.
Because the bait file is also run, users normally cannot recognize that their systems are infected by malware. As the files mentioned above mainly target certain companies, users should refrain from running attachments in emails sent from unknown sources.
AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases.
hxxp://dirwear.000webhostapp[.]com (C2 for stealing information)
hxxp://gerter.getenjoyment[.]net (C2 for AppleSeed backdoor file)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post AppleSeed Disguised as Purchase Order and Request Form Being Distributed appeared first on ASEC BLOG.