Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed – ASEC BLOG

Known to be supported by North Korea, the Kimsuky threat group has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy corporation in 2014. Since 2017, attacks targeting countries other than South Korea have also been observed. [1] The group usually launches spear phishing attacks against national defense, defense industries, media, diplomacy, national organizations, and academic sectors. Their attacks aim to steal internal information and technology from organizations. [2]

While the Kimsuky group typically uses spear phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are continuing to be detected.

Such attack cases that use JavaScript-type malware usually involve the distribution of AppleSeed which was covered in a past report titled “Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)”. [3] This report was published in November 2021, but the Kimsuky group is still using AppleSeed in their attacks. In addition to JavaScript, Excel macro malware are also used to install AppleSeed. [4]

A notable point about attacks that use AppleSeed is that similar methods of attack have been used for many years with no significant changes to the malware that are used together. Another point of interest is that the group still uses the same Infostealer and RDP Patch malware files that were first identified in 2022, which are used after the group takes control over an infected system.

This post will cover the characteristics of malware used in recent attack cases in comparison to the past report. For example, while the same AppleSeed is still being used, arguments are checked to obstruct analysis and a variant of AppleSeed named AlphaSeed is being used. Another notable fact is that while in the past the group typically used RDP to control the infected system after installing AppleSeed, they are often observed installing Chrome Remote Desktop in recent cases. [5]

1. AppleSeed

AppleSeed is a backdoor that can receive the threat actor’s commands from the C&C server and execute the received commands. The threat actor can use AppleSeed to control the infected system. It also offers features such as a downloader that installs additional malware, keylogging and taking screenshots, and stealing information by collecting files from the user system and sending them.

Like in past attack cases, AppleSeed is frequently distributed via a JavaScript dropper. The JavaScript dropper is responsible for installing AppleSeed while simultaneously creating and opening document files such as HWP and PDF. Due to this, ordinary users are deceived into thinking that a legitimate document file has been opened.

While the installed AppleSeed is similar to the one from the past, since early 2022, AppleSeed has been created by a dropper instead of being installed by JavaScript malware. Not only was a dropper added to the installation process but also a feature that checks the arguments upon malware execution. AppleSeed, which is in DLL format, is installed via the Regsvr32 process, during which the “/i” option is used to pass an argument. AppleSeed checks this argument and proceeds with installation only when it matches a certain string; otherwise, it deletes itself. Because of this, the AppleSeed DLL alone cannot perform malicious behaviors in a sandbox environment.

  • AppleSeed execution argument – example: regsvr32.exe /s /n /i:1qa2ws4rf “C:Users{UserName}AppDataRoamingFoxitReaderServiceFoxitReaderUpdate.db”
Period List of Arguments
Past 123qweasdzxc
123qweASDTYU
12345QWERTY
1q2w3e4r!
2wsx!QAZ3edc
$%ERT345ert
Recent 12qw3ed
1qa2ws4rf
Table 1. Arguments used when installing AppleSeed

AppleSeed is installed in the “%APPDATA%” or “%PROGRAMDATA%” path. The specific folder and file name are disguised to look like a legitimate program or file such as Antivirus, Chrome, and Adobe. While AppleSeed was often installed in the “%PROGRAMDATA%” path in the past, recently, “%APPDATA%” has been used frequently. The following table is a summary of the various paths AppleSeed was installed in. Paths used in attacks in the past several months were sorted separately.

Period Installation Path
Past %APPDATA%EastSoftControlServiceEastSoftUpdate.dll
%APPDATA%ESTsoftAlLUpdateAlCommon.dll
%APPDATA%ESTsoftCommonESTCommon.dll
%APPDATA%ESTsoftCommonko-kr.dll
%APPDATA%ESTsoftupdatESTCommon.dll
%APPDATA%MicrosoftWindowsDefenderAutoUpdate.dll
%APPDATA%MicrosoftWindowsDefenderpatch.dll
%PROGRAMDATA%FirmwareESTsoftCommonESTCommon.dll
%PROGRAMDATA%FirmwareMicrosoftWindowsDefenderAutoUpdate.dll
%PROGRAMDATA%SoftwareAhnlabServiceAutoService.dll
%PROGRAMDATA%SoftwareControlSetServiceServiceScheduler.dll
%PROGRAMDATA%SoftwareDefenderWindowsUpdateAutoUpdate.dll
%PROGRAMDATA%SoftwareESTsoftCommonESTCommon.dll
%PROGRAMDATA%SoftwareMicrosoftAvastAntiVirusAvastUpdate.dll
%PROGRAMDATA%SoftwareMicrosoftAvgAvgSkin.dll
%PROGRAMDATA%softwaremicrosoftiecleanercpatureiecaptureclean.dll
%PROGRAMDATA%SoftwareMicrosoftNetworkNetworkService.dll
%PROGRAMDATA%SoftwareMicrosoftPrinterPrinterService.dll
%PROGRAMDATA%SoftwareMicrosoftServiceTaskScheduler.dll
%PROGRAMDATA%SoftwareMicrosoftWindowsAutoDefenderUpdateDB.dll
%PROGRAMDATA%SoftwareMicrosoftWindowsAutoPatchpatch.dll
%PROGRAMDATA%SoftwareMicrosoftWindowsChromeGoogleUpdate.dll
%PROGRAMDATA%SoftwareMicrosoftWIndowsDefenderAutoCheck.dll
%PROGRAMDATA%SoftwareMicrosoftWindowsDefenderAutoUpdate.dll
%PROGRAMDATA%SoftwareMicrosoftWindowsDefenderupdate.dll
%PROGRAMDATA%SoftwareMicrosoftWindowsExplorerFontChecker.dll
%PROGRAMDATA%SoftwareMicrosoftWindowsFontChecker.dll
%PROGRAMDATA%SoftwareMicrosoftWindowsMDFWDFSyncWDFSync.dll
%PROGRAMDATA%SoftwareMicrosoftWindowsMetaSecMetaSecurity.dll
%PROGRAMDATA%SoftwareMicrosoftWindowsPatchpatch.dll
%PROGRAMDATA%SoftwareMicrosoftWindowsProtectProtectUpdate.dll
%PROGRAMDATA%SoftwareMicrosoftWindowsSecrityAutoCheck.dll
Recent %APPDATA%AbodeServiceAdobeService.dll
%APPDATA%AcrobatreaderServiceAcrobatReaderUpdate.db
%APPDATA%chromeServiceupdategoogle.dll
%APPDATA%EastSoftControlServiceEastSoftUpdate.dll
%APPDATA%FoxitReaderServiceFoxitReaderUpdate.db
%APPDATA%ProtectSoftUpdateServiceProtectSoftUpdate.db
Table 2. AppleSeed’s installation paths

2. AlphaSeed

AlphaSeed is a malware developed in Golang and supports similar features to AppleSeed such as command execution and infostealing. Due to these similarities and the path name contained in the binary, S2W named this malware AlphaSeed. [6]

Though most of its features are similar to those of AppleSeed, there are some differences as well. AlphaSeed was developed in Golang and uses ChromeDP for communications with the C&C server. When receiving commands from the threat actor or stealing collected information, AppleSeed generally used the HTTP protocol or email (SMTP and IMAPS). AlphaSeed also uses email protocols to communicate with the C&C, but instead of directly sending an email, it uses a tool called ChromeDP. The login process is also different: instead of using an ID and password, it uses cookie values to log into certain accounts.

Figure 1. Cookie value needed to log in

AlphaSeed has been used in attacks since at least October 2022 if not before. Like AppleSeed, AlphaSeed attacks use a JavaScript dropper. Because the binary itself is in DLL format which runs using the Regsvr32 process, the actual installation process is also similar to that of AppleSeed.

The threat actor sometimes installs AlphaSeed and AppleSeed together in the same target system. Although the initial distribution stage in the following case has not been identified, seeing from the fact that AlphaSeed and AppleSeed were installed at almost the same point in time and that certutil.exe was used, it seems that like in most cases, the two malware were installed by a JavaScript dropper.

Figure 2. AlphaSeed and AppleSeed used together in an attack

The AlphaSeed identified around October 2022 had the path name “E:/golang/src/naver_crawl/” in the binary, while the binary in the version used in attacks from around May 2023 until recently contained the path “E:/Go_Project/src/alpha/naver_crawl_spy/”.

Figure 3. AlphaSeed’s path names identified in October 2022
Figure 4. Path names used since May 2023 until recently

3. Meterpreter

Metasploit is a penetration testing framework. They are tools that can be used to inspect security vulnerabilities for networks and systems of companies and organizations, providing various features for each penetration test stage. Meterpreter is a backdoor provided by Metasploit and is used to control infected systems.

The Kimsuky group has often used Meterpreter in attack processes involving AppleSeed. [7] In the first half of 2023, Meterpreter Stager developed in Golang was identified. [8] However, the recently distributed version of Meterpreter was self-developed using C++ instead of Golang.

Figure 5. Shellcode for downloading Metasploit Meterpreter

4. VNC – TightVNC, HVNC (TinyNuke)

Aside from using RDP, the Kimsuky group also develops VNC malware to control the infected system. [9] There are two types that have been used since the initial discovery: TightVNC and HVNC.

TightVNC is an open-source VNC utility, and the threat actor customizes it to use it. The Kimsuky group distributes TightVNC which is customized to allow the Reverse VNC feature to be used independently in the infected environment without installing a service. As such, simply running tvnserver will allow the attacker to access tvnviewer that operates on the C&C server and gain control of the screen of the infected system.

TinyNuke, also known as Nuclear Bot, is a banking malware discovered in 2016. It includes features such as HVNC (HiddenDesktop/VNC), reverse SOCKS4 proxy, and form grabbing. As its source code was disclosed in 2017, TinyNuke is used by various threat actors, and out of its features, the HVNC and reverse SOCKS4 proxy features are partially borrowed by other malware such as AveMaria and BitRAT.

Among the various features offered by TinyNuke, the Kimsuky group only enables the HVNC feature before distributing it. TinyNuke uses the string “AVE_MARIA” for verification when establishing an HVNC communication session between server and client. The Kimsuky group either uses this string without modification or uses the string “LIGHT’S BOMB” instead. Since the first half of 2022, the string “Alpha’s nuke” has been used, which was also found in recently identified versions.

Figure 6. Strings used for HVNC verification

5. Conclusion

The Kimsuky threat group is constantly launching spear phishing attacks against South Korean users. The group usually distributes malware disguised as document files attached to emails. When users run these attachments, they may lose control over their system.

The Kimsuky threat group uses AppleSeed, Meterpreter, and VNC malware to seize control over infected systems, and even abuses the RDP remote desktop service included in Windows. Recently, the group has also been observed using the remote desktop feature in Google Chrome.

Users must carefully check the senders of emails and refrain from opening files from unknown sources. Users should also apply the latest patch for OS and programs such as internet browsers, and update V3 to the latest version to prevent malware infection in advance.

File Detection
– Backdoor/Win.AppleSeed.C5565172 (2023.12.21.00)
– Backdoor/Win.AppleSeed.R626582 (2023.12.04.02)
– Malware/Win.Agent.R628198 (2023.12.18.02)
– Trojan/Win.VNC.C5563987 (2023.12.18.03)
– Trojan/Win.TinyNuke.C5563988 (2023.12.18.03)
– Backdoor/Win.AppleSeed.C5563985 (2023.12.18.03)
– Backdoor/Win.AlphaSeed.R628550 (2023.12.21.03)
– Malware/Win.Agent.R628198 (2023.12.18.02))
– Backdoor/Win.AlphaSeed.R628552 (2023.12.21.03)
– Backdoor/Win.Iedoor.R626024 (2023.11.29.02)
– Backdoor/Win.Iedoor.R625563 (2023.11.27.03)
– Backdoor/Win.AppleSeed.R625539 (2023.11.27.02)
– Dropper/Win.AppleSeed.R625538 (2023.11.27.02)
– Backdoor/Win.AppleSeed.R624029 (2023.11.24.00)
– Backdoor/Win.AppleSeed.R625553 (2023.11.27.03)
– Backdoor/Win.AppleSeed.C5502219 (2023.10.08.03)

Behavior Detection
– Execution/MDP.Regsvr32.M4470

IOC
MD5
– db5fc5cf50f8c1e19141eb238e57658c : AppleSeed (%APPDATA%AbodeServiceAdobeService.dll
– 6a968fd1608bca7255c329a0701dbf58 : AppleSeed (%APPDATA%AbodeServiceAdobeService.dll)
– cafc26b215550521a12b38de38fa802b : AppleSeed (%APPDATA%AbodeServiceAdobeService.dll)
– 76831271eb117b77a57869c80bfd6ba6 : AppleSeed (%APPDATA%FoxitReaderServiceFoxitReaderUpdate.db)
– b5d3e0c3c470d2d41967229e17259c87 : AppleSeed (%APPDATA%chromeServiceupdategoogle.dll)
– 4511e57ae1eacdf1c2922bf1a94bfb8d : AppleSeed (%APPDATA%EastSoftControlServiceEastSoftUpdate.dll)
– 02843206001cd952472abf5ae2b981b2 : AppleSeed (%APPDATA%FoxitReaderServiceFoxitReaderUpdate.db)
– 8aeacd58d371f57774e63d217b6b6f98 : AppleSeed (%APPDATA%AcrobatreaderServiceAcrobatReaderUpdate.db)
– cacf04cd560b70eaaf0e75f3da9a5e8f : AppleSeed (%APPDATA%ProtectSoftUpdateServiceProtectSoftUpdate.db)
– 7a7937f8d4dcb335e96db05b2fb64a1b : AppleSeed (%APPDATA%AbodeServiceAdobeService.dll)
– f3a55d49562e41c7d339fb52457513ba : AppleSeed (%APPDATA%FoxitReaderServiceFoxitReaderUpdate.db)
– 5d3ab2baacf2ad986ed7542eeabf3dab : AppleSeed Dropper
– d4ad31f316dc4ca0e7170109174827cf : AppleSeed Dropper
– 1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf : AppleSeed Dropper
– ae9593c0c80e55ff49c28e28bf8bc887 : AppleSeed Dropper
– b6f17d59f38aba69d6da55ce36406729 : AppleSeed Dropper
– 153383634ee35b7db6ab59cde68bf526 : AppleSeed Dropper
– c560d3371a16ef17dd79412f6ea99d3a : AppleSeed Dropper
– 0cce02d2d835a996ad5dfc0406b44b01 : AppleSeed Dropper
– d94c6323c3f77965451c0b7ebeb32e13 : AlphaSeed (%USERPROFILE%.edgeedgemgmt.dat)
– 52ff761212eeaadcd3a95a1f8cce4030 : AlphaSeed (%USERPROFILE%.edgeedgemgmt.dat)
– 4cb843f2a5b6ed7e806c69e6c25a1025 : AlphaSeed (%USERPROFILE%.edgeedgemgmt.dat)
– b6ab96dc4778c6704b6def5db448a020 : AlphaSeed (%USERPROFILE%.edgeedgemgmt.dat)
– 232046aff635f1a5d81e415ef64649b7 : Meterpreter (%PROGRAMDATA%setting.dat)
– 58fafabd6ae8360c9d604cd314a27159 : Meterpreter (%SystemRoot%system32setting.db)
– e582bd909800e87952eb1f206a279e47 : Meterpreter (%SystemRoot%system32service.db)
– ac99b5c1d66b5f0ddb4423c627ca8333 : Meterpreter
– e34669d56a13d607da1f76618eb4b27e : TinyNuke (HVNC)
– ee76638004c68cfc34ff1fea2a7565a7 : TightVNC

C&C URL
– 
hxxp://bitburny.kro[.]kr/aha/ : AppleSeed
– hxxp://bitthum.kro[.]kr/hu/ : AppleSeed
– hxxp://doma2.o-r[.]kr// : AppleSeed
– hxxp://my.topton.r-e[.]kr/address/ : AppleSeed
– hxxp://nobtwoseb1.n-e[.]kr// : AppleSeed
– hxxp://octseven1.p-e[.]kr// : AppleSeed
– hxxp://tehyeran1.r-e[.]kr// : AppleSeed
– hxxp://update.ahnlaib.kro[.]kr/aha/ : AppleSeed
– hxxp://update.doumi.kro[.]kr/aha/ : AppleSeed
– hxxp://update.onedrive.p-e[.]kr/aha/ : AppleSeed
– hxxp://yes24.r-e[.]kr/aha/ : AppleSeed
– 104.168.145[.]83:993 : Meterpreter
– 159.100.6[.]137:993 : Meterpreter
– 38.110.1[.]69:993 : Meterpreter
– 107.148.71[.]88:993 : Meterpreter
– 45.114.129[.]138:33890 : TinyNuke (HVNC)
– 45.114.129[.]138:5500 : TightVNC

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/60054/