The Kimsuky Group, a North Korean-based cyber-attack group, has been known to use AppleSeed malware in their attacks since 2022. The group constantly launches spear-phishing attacks against South Korean users and has been observed using various methods to distribute malware, including JavaScript, Excel macro malware, and shortcut-type malware in LNK file format. The group has also been known to use Meterpreter and TinyNuke malware to seize control of compromised machines.
AppleSeed is a backdoor that can receive instructions from an actor-controlled server, drop additional payloads, and exfiltrate sensitive data such as files, keystrokes, and screenshots. A variant of AppleSeed named AlphaSeed, which was developed in Golang and uses chromedp for communications with the command-and-control server, has also been observed in use. The group typically uses RDP to control the infected systems, but they have also been observed installing Chrome Remote Desktop in recent cases.
The Kimsuky Group's attacks aim to steal internal information and technology from organizations. While the group typically uses spear-phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are also being detected.
IoC
IPv4
- 104.168.145.83
- 159.100.6.137
MD5
- 02843206001cd952472abf5ae2b981b2
- 0cce02d2d835a996ad5dfc0406b44b01
- 153383634ee35b7db6ab59cde68bf526
- 1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf
- 232046aff635f1a5d81e415ef64649b7
- 4511e57ae1eacdf1c2922bf1a94bfb8d
- 4cb843f2a5b6ed7e806c69e6c25a1025
- 52ff761212eeaadcd3a95a1f8cce4030
- 58fafabd6ae8360c9d604cd314a27159
- 5d3ab2baacf2ad986ed7542eeabf3dab
- 6a968fd1608bca7255c329a0701dbf58
- 76831271eb117b77a57869c80bfd6ba6
- 7a7937f8d4dcb335e96db05b2fb64a1b
- 8aeacd58d371f57774e63d217b6b6f98
- ac99b5c1d66b5f0ddb4423c627ca8333
- ae9593c0c80e55ff49c28e28bf8bc887
- b5d3e0c3c470d2d41967229e17259c87
- b6ab96dc4778c6704b6def5db448a020
- b6f17d59f38aba69d6da55ce36406729
- c560d3371a16ef17dd79412f6ea99d3a
- cacf04cd560b70eaaf0e75f3da9a5e8f
- cafc26b215550521a12b38de38fa802b
- d4ad31f316dc4ca0e7170109174827cf
- d94c6323c3f77965451c0b7ebeb32e13
- db5fc5cf50f8c1e19141eb238e57658c
- e34669d56a13d607da1f76618eb4b27e
- e582bd909800e87952eb1f206a279e47
- ee76638004c68cfc34ff1fea2a7565a7
REFERENCES
- https://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html
- https://asec.ahnlab.com/en/60054/
- https://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html
- https://otx.alienvault.com/pulse/658c565578c6361b0ed9617a?utm_userid=xopxe&utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed
TAGS
kimsuky, phishing, LNK, javascript, appleseed, macro, excel, alphaseed, chrome remote desktop, backdoor, infostealer, TightVNC, TinyNuke, meterpreter
No comments:
Post a Comment