SYMBOLCOMMON_NAMEaka. SYNONYMS
win.appleseed (Back to overview)

Appleseed

aka: JamBog

Actor(s): Kimsuky

There is no description at this point.

References
2022-01-05AhnLabASEC Analysis Team
@online{team:20220105:analysis:6eadabd, author = {ASEC Analysis Team}, title = {{Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)}}, date = {2022-01-05}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/30532/}, language = {English}, urldate = {2022-04-15} } Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)
Appleseed Kimsuky PEBBLEDASH
2021-11-16AhnLabASEC Analysis Team
@techreport{team:20211116:analysis:77a82f6, author = {ASEC Analysis Team}, title = {{Analysis Report of Kimsuky Group's APT Attacks (AppleSeed, PebbleDash)}}, date = {2021-11-16}, institution = {AhnLab}, url = {https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf}, language = {English}, urldate = {2022-05-04} } Analysis Report of Kimsuky Group's APT Attacks (AppleSeed, PebbleDash)
Appleseed PEBBLEDASH
2021-11-03TelsyTelsy Research Team
@online{team:20211103:dissecting:aa23c19, author = {Telsy Research Team}, title = {{Dissecting new AppleSeed backdoor of Kimsuky threat actor}}, date = {2021-11-03}, organization = {Telsy}, url = {https://www.telsy.com/download/5654/?uid=4869868efd}, language = {English}, urldate = {2021-11-08} } Dissecting new AppleSeed backdoor of Kimsuky threat actor
Appleseed
2021-10-07S2W Inc.Jaeki Kim, Sojun Ryu, Kyoung-ju Kwak
@online{kim:20211007:operation:6b8234f, author = {Jaeki Kim and Sojun Ryu and Kyoung-ju Kwak}, title = {{Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?}}, date = {2021-10-07}, organization = {S2W Inc.}, url = {https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/}, language = {English}, urldate = {2021-10-14} } Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?
Appleseed Kimsuky
2021-09-02AhnLabASEC Analysis Team
@online{team:20210902:attacks:39695ea, author = {ASEC Analysis Team}, title = {{Attacks using metasploit meterpreter}}, date = {2021-09-02}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/26705/}, language = {Korean}, urldate = {2022-04-15} } Attacks using metasploit meterpreter
Appleseed Meterpreter
2021-06-11TEAMT5Linda Kuo, Zih-Cing Liao
@techreport{kuo:20210611:story:897e55c, author = {Linda Kuo and Zih-Cing Liao}, title = {{Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)}}, date = {2021-06-11}, institution = {TEAMT5}, url = {https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf}, language = {English}, urldate = {2021-06-22} } Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)
Appleseed BabyShark
2021-06-11YouTube (Hack In The Box Security Conference)Linda Kuo, Zih-Cing Liao
@online{kuo:20210611:dissecting:cd60a32, author = {Linda Kuo and Zih-Cing Liao}, title = {{Dissecting Phishing Techniques Of CloudDragon APT}}, date = {2021-06-11}, organization = {YouTube (Hack In The Box Security Conference)}, url = {https://www.youtube.com/watch?v=Dv2_DK3tRgI}, language = {English}, urldate = {2021-06-22} } Dissecting Phishing Techniques Of CloudDragon APT
Appleseed BabyShark
2021-06-01MalwarebytesHossein Jazi
@online{jazi:20210601:kimsuky:922141b, author = {Hossein Jazi}, title = {{Kimsuky APT continues to target South Korean government using AppleSeed backdoor}}, date = {2021-06-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/}, language = {English}, urldate = {2021-06-09} } Kimsuky APT continues to target South Korean government using AppleSeed backdoor
Appleseed
2021-05-07TEAMT5Jhih-Lin Kuo, Zih-Cing Liao
@techreport{kuo:20210507:we:cd620c1, author = {Jhih-Lin Kuo and Zih-Cing Liao}, title = {{"We Are About to Land": How CloudDragon Turns a Nightmare Into Reality}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf}, language = {English}, urldate = {2021-09-14} } "We Are About to Land": How CloudDragon Turns a Nightmare Into Reality
FlowerPower Appleseed BabyShark GoldDragon NavRAT
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-12-15KISAKrCERT
@techreport{krcert:20201215:operation:4784750, author = {KrCERT}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2021-06-04} } Operation MUZABI
Appleseed
Yara Rules
[TLP:WHITE] win_appleseed_auto (20220516 | Detects win.appleseed.)
rule win_appleseed_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.appleseed."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d93c80f0000 488bcb e8???????? 448b8374af0100 8b9370af0100 488d0d18040200 e8???????? }
            // n = 7, score = 100
            //   488d93c80f0000       | inc                 esp
            //   488bcb               | mov                 eax, ebx
            //   e8????????           |                     
            //   448b8374af0100       | dec                 ecx
            //   8b9370af0100         | mov                 edx, edi
            //   488d0d18040200       | dec                 eax
            //   e8????????           |                     

        $sequence_1 = { 48833d????????00 7463 488d15b1160200 488d4db8 }
            // n = 4, score = 100
            //   48833d????????00     |                     
            //   7463                 | inc                 esp
            //   488d15b1160200       | mov                 eax, dword ptr [ebx + 0x1af74]
            //   488d4db8             | mov                 edx, dword ptr [ebx + 0x1af70]

        $sequence_2 = { 57 4156 488d6c24c0 4881ec40010000 48c7442460feffffff 488b05???????? 4833c4 }
            // n = 7, score = 100
            //   57                   | dec                 eax
            //   4156                 | lea                 ecx, [esp + 0x44]
            //   488d6c24c0           | ret                 
            //   4881ec40010000       | inc                 eax
            //   48c7442460feffffff     | push    ebx
            //   488b05????????       |                     
            //   4833c4               | dec                 eax

        $sequence_3 = { 488d1565e80100 488bc8 e8???????? 84c0 }
            // n = 4, score = 100
            //   488d1565e80100       | dec                 eax
            //   488bc8               | mov                 dword ptr [esp + 0x80], esi
            //   e8????????           |                     
            //   84c0                 | dec                 eax

        $sequence_4 = { 4833c4 4889442470 488bd9 c744243000000000 }
            // n = 4, score = 100
            //   4833c4               | lea                 edx, [0x21e8c]
            //   4889442470           | dec                 eax
            //   488bd9               | lea                 ecx, [ebp - 0x48]
            //   c744243000000000     | inc                 ecx

        $sequence_5 = { 488bf7 4c8bff 49c1ff05 4c8d2d86bb0100 83e61f 486bf658 4b8b44fd00 }
            // n = 7, score = 100
            //   488bf7               | dec                 eax
            //   4c8bff               | lea                 ecx, [ebp - 0x48]
            //   49c1ff05             | dec                 eax
            //   4c8d2d86bb0100       | mov                 dword ptr [ebp - 0x30], 0xf
            //   83e61f               | dec                 eax
            //   486bf658             | mov                 dword ptr [ebp - 0x38], ebx
            //   4b8b44fd00           | mov                 byte ptr [ebp - 0x48], 0

        $sequence_6 = { 488d6c24d9 4881eca0000000 48c745e7feffffff 48899c24f8000000 488b05???????? }
            // n = 5, score = 100
            //   488d6c24d9           | lea                 ecx, [ebp + 0xd81]
            //   4881eca0000000       | dec                 eax
            //   48c745e7feffffff     | lea                 edx, [ebx + 0x1f0]
            //   48899c24f8000000     | xor                 edx, edx
            //   488b05????????       |                     

        $sequence_7 = { 488d15c1610200 41b804010000 ff15???????? ffcb 7505 e8???????? b801000000 }
            // n = 7, score = 100
            //   488d15c1610200       | mov                 dword ptr [ebx + 0x20], ebp
            //   41b804010000         | dec                 eax
            //   ff15????????         |                     
            //   ffcb                 | xor                 eax, esp
            //   7505                 | dec                 eax
            //   e8????????           |                     
            //   b801000000           | mov                 dword ptr [esp + 0x50], eax

        $sequence_8 = { 48c1f805 83e11f 488d15e7cc0100 488b04c2 486bc958 c644080800 85db }
            // n = 7, score = 100
            //   48c1f805             | mov                 eax, edx
            //   83e11f               | dec                 eax
            //   488d15e7cc0100       | mov                 edx, ecx
            //   488b04c2             | dec                 eax
            //   486bc958             | lea                 ecx, [0x4dc9]
            //   c644080800           | test                eax, eax
            //   85db                 | dec                 ebp

        $sequence_9 = { 4885c0 7512 4c3bf3 7305 83c8ff eb08 8bc7 }
            // n = 7, score = 100
            //   4885c0               | dec                 esp
            //   7512                 | lea                 eax, [0x23a08]
            //   4c3bf3               | dec                 eax
            //   7305                 | mov                 edx, edi
            //   83c8ff               | dec                 eax
            //   eb08                 | lea                 ecx, [esp + 0x40]
            //   8bc7                 | dec                 eax

    condition:
        7 of them and filesize < 497664
}
[TLP:WHITE] win_appleseed_w0   (20201015 | No description)
rule win_appleseed_w0 {
    meta:
        author = "KrCERT/CC Profound Analysis Team"
        date = "2020-12-4"
        info = "Operation MUZABI"
        hash = "43cc6d190238e851d33066cbe9be9ac8"
        hash = "fd10bd6013aabadbcb9edb8a23ba7331"
        hash = "16231e2e8991c60a42f293e0c33ff801"
        hash = "89fff6645013008cda57f88639b92990"
        hash = "030e2f992cbc4e61f0d5c994779caf3b"
        hash = "3620c22671641fbf32cf496b118b85f6"
        hash = "4876fc88c361743a1220a7b161f8f06f"
        hash = "94b8a0e4356d0202dc61046e3d8bdfe0"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed"
        malpedia_rule_date = "20201015"
        malpedia_version = "20201015"
        malpedia_license = "CC NC-BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $appleseed_str1 = {0f 8? ?? (00|01) 00 00 [0-1] 83 f? 20 0f 8? (01|00) 00 00}
        $appleseed_str2 = {88 45 [0-15] 0f b6 44 ?? 01}
        $appleseed_str3 = {83 f? 10 [0-5] 83 e? 10}
        $appleseed_key1 = {89 04 ?9 [0-6] ff 34 ?? e8 [10-16] 89 0c 98 8b ?? 0c [0-3] ff 34 98}
        $appleseed_key2 = {83 f? 10 [0-10] 32 4c 05 ?? ?? 88 4c ?? 0f}
        $appleseed_key3 = {89 04 ?9 49 83 ?? 04 48 ?? ?? 10 8b 0c a8 e8 [0-10] 48 8b ?? ?8}
        $seed_str1 = {44 0f b6 44 3d c0 45 32 c7 44 32 45 d4}
        $seed_str2 = {0f b6 44 3? ?? [0-25] 83 c4 0c}
        $seed_str3 = {32 45 c? ?? ?? ?? 32 45 e?}

    condition: 
            uint16(0) == 0x5a4d
        and
            filesize < 400KB
        and
            (2 of ($appleseed_str*))
        and
            (1 of ($seed_str*))
        and
            (1 of ($appleseed_key*))
}
Download all Yara Rules