SYMBOLCOMMON_NAMEaka. SYNONYMS
win.appleseed (Back to overview)

Appleseed

aka: JamBog

Actor(s): Kimsuky


There is no description at this point.

References
2023-06-28AhnLabSanseo
@online{sanseo:20230628:kimsuky:342e1c2, author = {Sanseo}, title = {{Kimsuky Attack Group Abusing Chrome Remote Desktop}}, date = {2023-06-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/54804/}, language = {Korean}, urldate = {2023-07-16} } Kimsuky Attack Group Abusing Chrome Remote Desktop
Appleseed
2022-11-02ASECASEC
@online{asec:20221102:appleseed:0cc5b91, author = {ASEC}, title = {{Appleseed Being Distributed to Nuclear Power Plant-Related Companies}}, date = {2022-11-02}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/41015/}, language = {English}, urldate = {2022-11-03} } Appleseed Being Distributed to Nuclear Power Plant-Related Companies
Appleseed
2022-07-21ASECASEC Analysis Team
@online{team:20220721:dissemination:586ca95, author = {ASEC Analysis Team}, title = {{Dissemination of AppleSeed to Specific Military Maintenance Companies}}, date = {2022-07-21}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/36918/}, language = {Korean}, urldate = {2022-07-25} } Dissemination of AppleSeed to Specific Military Maintenance Companies
Appleseed
2022-07-11ASECASEC
@online{asec:20220711:appleseed:c064586, author = {ASEC}, title = {{AppleSeed Disguised as Purchase Order and Request Form Being Distributed}}, date = {2022-07-11}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/36368/}, language = {English}, urldate = {2022-11-03} } AppleSeed Disguised as Purchase Order and Request Form Being Distributed
Appleseed
2022-01-05AhnLabASEC Analysis Team
@online{team:20220105:analysis:6eadabd, author = {ASEC Analysis Team}, title = {{Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)}}, date = {2022-01-05}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/30532/}, language = {English}, urldate = {2022-04-15} } Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)
Appleseed Kimsuky PEBBLEDASH
2021-11-16AhnLabASEC Analysis Team
@techreport{team:20211116:analysis:77a82f6, author = {ASEC Analysis Team}, title = {{Analysis Report of Kimsuky Group's APT Attacks (AppleSeed, PebbleDash)}}, date = {2021-11-16}, institution = {AhnLab}, url = {https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf}, language = {English}, urldate = {2022-05-04} } Analysis Report of Kimsuky Group's APT Attacks (AppleSeed, PebbleDash)
Appleseed PEBBLEDASH
2021-11-03TelsyTelsy Research Team
@online{team:20211103:dissecting:aa23c19, author = {Telsy Research Team}, title = {{Dissecting new AppleSeed backdoor of Kimsuky threat actor}}, date = {2021-11-03}, organization = {Telsy}, url = {https://www.telsy.com/download/5654/?uid=4869868efd}, language = {English}, urldate = {2021-11-08} } Dissecting new AppleSeed backdoor of Kimsuky threat actor
Appleseed
2021-10-07S2W Inc.Jaeki Kim, Sojun Ryu, Kyoung-ju Kwak
@online{kim:20211007:operation:6b8234f, author = {Jaeki Kim and Sojun Ryu and Kyoung-ju Kwak}, title = {{Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?}}, date = {2021-10-07}, organization = {S2W Inc.}, url = {https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/}, language = {English}, urldate = {2021-10-14} } Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?
Appleseed Kimsuky
2021-09-02AhnLabASEC Analysis Team
@online{team:20210902:attacks:39695ea, author = {ASEC Analysis Team}, title = {{Attacks using metasploit meterpreter}}, date = {2021-09-02}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/26705/}, language = {Korean}, urldate = {2022-04-15} } Attacks using metasploit meterpreter
Appleseed Meterpreter
2021-06-11YouTube (Hack In The Box Security Conference)Linda Kuo, Zih-Cing Liao
@online{kuo:20210611:dissecting:cd60a32, author = {Linda Kuo and Zih-Cing Liao}, title = {{Dissecting Phishing Techniques Of CloudDragon APT}}, date = {2021-06-11}, organization = {YouTube (Hack In The Box Security Conference)}, url = {https://www.youtube.com/watch?v=Dv2_DK3tRgI}, language = {English}, urldate = {2021-06-22} } Dissecting Phishing Techniques Of CloudDragon APT
Appleseed BabyShark
2021-06-11TEAMT5Linda Kuo, Zih-Cing Liao
@techreport{kuo:20210611:story:897e55c, author = {Linda Kuo and Zih-Cing Liao}, title = {{Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)}}, date = {2021-06-11}, institution = {TEAMT5}, url = {https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf}, language = {English}, urldate = {2021-06-22} } Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)
Appleseed BabyShark
2021-06-01MalwarebytesHossein Jazi
@online{jazi:20210601:kimsuky:922141b, author = {Hossein Jazi}, title = {{Kimsuky APT continues to target South Korean government using AppleSeed backdoor}}, date = {2021-06-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/}, language = {English}, urldate = {2021-06-09} } Kimsuky APT continues to target South Korean government using AppleSeed backdoor
Appleseed
2021-05-07TEAMT5Jhih-Lin Kuo, Zih-Cing Liao
@techreport{kuo:20210507:we:cd620c1, author = {Jhih-Lin Kuo and Zih-Cing Liao}, title = {{"We Are About to Land": How CloudDragon Turns a Nightmare Into Reality}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf}, language = {English}, urldate = {2021-09-14} } "We Are About to Land": How CloudDragon Turns a Nightmare Into Reality
FlowerPower Appleseed BabyShark GoldDragon NavRAT
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-12-15KISAKrCERT
@techreport{krcert:20201215:operation:4784750, author = {KrCERT}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2021-06-04} } Operation MUZABI
Appleseed
Yara Rules
[TLP:WHITE] win_appleseed_auto (20230715 | Detects win.appleseed.)
rule win_appleseed_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.appleseed."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 75f7 4c8bc3 488d9520010000 488bce e8???????? 90 48837d0010 }
            // n = 7, score = 100
            //   75f7                 | mov                 dword ptr [esp + 0x38], 0xf
            //   4c8bc3               | dec                 eax
            //   488d9520010000       | mov                 dword ptr [esp + 0x30], edi
            //   488bce               | nop                 
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   48837d0010           | lea                 eax, [esp + 0x48]

        $sequence_1 = { e8???????? 48c745980f000000 48895d90 c6458000 48837db810 7209 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   48c745980f000000     | test                eax, eax
            //   48895d90             | je                  0x13ff
            //   c6458000             | dec                 eax
            //   48837db810           | lea                 edx, [ebp + 0x120]
            //   7209                 | dec                 eax

        $sequence_2 = { e9???????? 488d8a68010000 e9???????? 488d8a50000000 e9???????? 488d8a70000000 }
            // n = 6, score = 100
            //   e9????????           |                     
            //   488d8a68010000       | mov                 esi, ecx
            //   e9????????           |                     
            //   488d8a50000000       | xor                 edi, edi
            //   e9????????           |                     
            //   488d8a70000000       | dec                 eax

        $sequence_3 = { 488d05af540100 8bda 488bf9 488901 e8???????? }
            // n = 5, score = 100
            //   488d05af540100       | dec                 esp
            //   8bda                 | mov                 edi, eax
            //   488bf9               | inc                 esp
            //   488901               | mov                 ecx, ebx
            //   e8????????           |                     

        $sequence_4 = { 4c8b8510010000 498d0418 483bc6 0f8794010000 488d9500010000 4883bd1801000010 }
            // n = 6, score = 100
            //   4c8b8510010000       | nop                 
            //   498d0418             | dec                 esp
            //   483bc6               | lea                 eax, [ebp + 0x20]
            //   0f8794010000         | dec                 eax
            //   488d9500010000       | mov                 edx, eax
            //   4883bd1801000010     | dec                 eax

        $sequence_5 = { e8???????? 90 488d542468 488d4c2448 e8???????? 488d4d00 48837d1810 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   90                   | mov                 eax, dword ptr [eax + ebp*4 + 0x2c330]
            //   488d542468           | inc                 ebp
            //   488d4c2448           | test                eax, eax
            //   e8????????           |                     
            //   488d4d00             | je                  0xcfd
            //   48837d1810           | inc                 esp

        $sequence_6 = { e8???????? 48c743180f000000 4c896b10 c60300 488d55f0 488d4d50 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   48c743180f000000     | dec                 eax
            //   4c896b10             | test                esi, esi
            //   c60300               | dec                 eax
            //   488d55f0             | sub                 esp, 0x20
            //   488d4d50             | jns                 0x1013

        $sequence_7 = { 8b9370af0100 488d0d20040200 e8???????? 488d93c80f0000 488bcb e8???????? }
            // n = 6, score = 100
            //   8b9370af0100         | imul                eax, eax, 0x4d10
            //   488d0d20040200       | inc                 ecx
            //   e8????????           |                     
            //   488d93c80f0000       | mov                 eax, eax
            //   488bcb               | shr                 eax, 0x1f
            //   e8????????           |                     

        $sequence_8 = { 488d4d80 e8???????? 90 48837d9810 7209 488b4d80 e8???????? }
            // n = 7, score = 100
            //   488d4d80             | mov                 eax, edi
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   48837d9810           | mov                 ecx, dword ptr [ebp + 0xe90]
            //   7209                 | dec                 eax
            //   488b4d80             | xor                 ecx, esp
            //   e8????????           |                     

        $sequence_9 = { 488bd6 41b850000000 48895c2438 895c2430 c744242803000000 48895c2420 4533c9 }
            // n = 7, score = 100
            //   488bd6               | lea                 ecx, [ebp - 0x78]
            //   41b850000000         | nop                 
            //   48895c2438           | dec                 ecx
            //   895c2430             | or                  ecx, 0xffffffff
            //   c744242803000000     | inc                 ebp
            //   48895c2420           | xor                 eax, eax
            //   4533c9               | dec                 eax

    condition:
        7 of them and filesize < 497664
}
[TLP:WHITE] win_appleseed_w0   (20201015 | No description)
rule win_appleseed_w0 {
    meta:
        author = "KrCERT/CC Profound Analysis Team"
        date = "2020-12-4"
        info = "Operation MUZABI"
        hash = "43cc6d190238e851d33066cbe9be9ac8"
        hash = "fd10bd6013aabadbcb9edb8a23ba7331"
        hash = "16231e2e8991c60a42f293e0c33ff801"
        hash = "89fff6645013008cda57f88639b92990"
        hash = "030e2f992cbc4e61f0d5c994779caf3b"
        hash = "3620c22671641fbf32cf496b118b85f6"
        hash = "4876fc88c361743a1220a7b161f8f06f"
        hash = "94b8a0e4356d0202dc61046e3d8bdfe0"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed"
        malpedia_rule_date = "20201015"
        malpedia_version = "20201015"
        malpedia_license = "CC NC-BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $appleseed_str1 = {0f 8? ?? (00|01) 00 00 [0-1] 83 f? 20 0f 8? (01|00) 00 00}
        $appleseed_str2 = {88 45 [0-15] 0f b6 44 ?? 01}
        $appleseed_str3 = {83 f? 10 [0-5] 83 e? 10}
        $appleseed_key1 = {89 04 ?9 [0-6] ff 34 ?? e8 [10-16] 89 0c 98 8b ?? 0c [0-3] ff 34 98}
        $appleseed_key2 = {83 f? 10 [0-10] 32 4c 05 ?? ?? 88 4c ?? 0f}
        $appleseed_key3 = {89 04 ?9 49 83 ?? 04 48 ?? ?? 10 8b 0c a8 e8 [0-10] 48 8b ?? ?8}
        $seed_str1 = {44 0f b6 44 3d c0 45 32 c7 44 32 45 d4}
        $seed_str2 = {0f b6 44 3? ?? [0-25] 83 c4 0c}
        $seed_str3 = {32 45 c? ?? ?? ?? 32 45 e?}

    condition: 
            uint16(0) == 0x5a4d
        and
            filesize < 400KB
        and
            (2 of ($appleseed_str*))
        and
            (1 of ($seed_str*))
        and
            (1 of ($appleseed_key*))
}
Download all Yara Rules