Wednesday, January 3, 2024

Analysis of Kimsuky Group's AppleSeed Malware Attack Trends

The Kimsuky Group, a North Korean-based cyber-attack group, has been known to use AppleSeed malware in their attacks since 2022. The group constantly launches spear-phishing attacks against South Korean users and has been observed using various methods to distribute malware, including JavaScript, Excel macro malware, and shortcut-type malware in LNK file format. The group has also been known to use Meterpreter and TinyNuke malware to seize control of compromised machines.

AppleSeed is a backdoor that can receive instructions from an actor-controlled server, drop additional payloads, and exfiltrate sensitive data such as files, keystrokes, and screenshots. A variant of AppleSeed named AlphaSeed, which was developed in Golang and uses chromedp for communications with the command-and-control server, has also been observed in use. The group typically uses RDP to control the infected systems, but they have also been observed installing Chrome Remote Desktop in recent cases.

The Kimsuky Group's attacks aim to steal internal information and technology from organizations. While the group typically uses spear-phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are also being detected.

IoC

    IPv4

  • 104.168.145.83
  • 159.100.6.137

    MD5

  • 02843206001cd952472abf5ae2b981b2
  • 0cce02d2d835a996ad5dfc0406b44b01
  • 153383634ee35b7db6ab59cde68bf526
  • 1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf
  • 232046aff635f1a5d81e415ef64649b7
  • 4511e57ae1eacdf1c2922bf1a94bfb8d
  • 4cb843f2a5b6ed7e806c69e6c25a1025
  • 52ff761212eeaadcd3a95a1f8cce4030
  • 58fafabd6ae8360c9d604cd314a27159
  • 5d3ab2baacf2ad986ed7542eeabf3dab
  • 6a968fd1608bca7255c329a0701dbf58
  • 76831271eb117b77a57869c80bfd6ba6
  • 7a7937f8d4dcb335e96db05b2fb64a1b
  • 8aeacd58d371f57774e63d217b6b6f98
  • ac99b5c1d66b5f0ddb4423c627ca8333
  • ae9593c0c80e55ff49c28e28bf8bc887
  • b5d3e0c3c470d2d41967229e17259c87
  • b6ab96dc4778c6704b6def5db448a020
  • b6f17d59f38aba69d6da55ce36406729
  • c560d3371a16ef17dd79412f6ea99d3a
  • cacf04cd560b70eaaf0e75f3da9a5e8f
  • cafc26b215550521a12b38de38fa802b
  • d4ad31f316dc4ca0e7170109174827cf
  • d94c6323c3f77965451c0b7ebeb32e13
  • db5fc5cf50f8c1e19141eb238e57658c
  • e34669d56a13d607da1f76618eb4b27e
  • e582bd909800e87952eb1f206a279e47
  • ee76638004c68cfc34ff1fea2a7565a7

REFERENCES

  • https://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html
  • https://asec.ahnlab.com/en/60054/
  • https://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html
  • https://otx.alienvault.com/pulse/658c565578c6361b0ed9617a?utm_userid=xopxe&utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed

TAGS

kimsuky, phishing, LNK, javascript, appleseed, macro, excel, alphaseed, chrome remote desktop, backdoor, infostealer, TightVNC, TinyNuke, meterpreter


at
Labels: , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Fog of Cyber Warfare: Cloud Atlas Spies Attack Russian Companies Under the guise of Supporting NWO Participants

Cloud Atlas is a pro-government advanced persistent threat (APT) group that specializes in cyber espionage and theft of confidential informa...