SYMBOLCOMMON_NAMEaka. SYNONYMS
win.appleseed (Back to overview)

Appleseed

aka: JamBog

Actor(s): Kimsuky

There is no description at this point.

References
2022-11-02ASECASEC
@online{asec:20221102:appleseed:0cc5b91, author = {ASEC}, title = {{Appleseed Being Distributed to Nuclear Power Plant-Related Companies}}, date = {2022-11-02}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/41015/}, language = {English}, urldate = {2022-11-03} } Appleseed Being Distributed to Nuclear Power Plant-Related Companies
Appleseed
2022-07-21ASECASEC Analysis Team
@online{team:20220721:dissemination:586ca95, author = {ASEC Analysis Team}, title = {{Dissemination of AppleSeed to Specific Military Maintenance Companies}}, date = {2022-07-21}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/36918/}, language = {Korean}, urldate = {2022-07-25} } Dissemination of AppleSeed to Specific Military Maintenance Companies
Appleseed
2022-07-11ASECASEC
@online{asec:20220711:appleseed:c064586, author = {ASEC}, title = {{AppleSeed Disguised as Purchase Order and Request Form Being Distributed}}, date = {2022-07-11}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/36368/}, language = {English}, urldate = {2022-11-03} } AppleSeed Disguised as Purchase Order and Request Form Being Distributed
Appleseed
2022-01-05AhnLabASEC Analysis Team
@online{team:20220105:analysis:6eadabd, author = {ASEC Analysis Team}, title = {{Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)}}, date = {2022-01-05}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/30532/}, language = {English}, urldate = {2022-04-15} } Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)
Appleseed Kimsuky PEBBLEDASH
2021-11-16AhnLabASEC Analysis Team
@techreport{team:20211116:analysis:77a82f6, author = {ASEC Analysis Team}, title = {{Analysis Report of Kimsuky Group's APT Attacks (AppleSeed, PebbleDash)}}, date = {2021-11-16}, institution = {AhnLab}, url = {https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf}, language = {English}, urldate = {2022-05-04} } Analysis Report of Kimsuky Group's APT Attacks (AppleSeed, PebbleDash)
Appleseed PEBBLEDASH
2021-11-03TelsyTelsy Research Team
@online{team:20211103:dissecting:aa23c19, author = {Telsy Research Team}, title = {{Dissecting new AppleSeed backdoor of Kimsuky threat actor}}, date = {2021-11-03}, organization = {Telsy}, url = {https://www.telsy.com/download/5654/?uid=4869868efd}, language = {English}, urldate = {2021-11-08} } Dissecting new AppleSeed backdoor of Kimsuky threat actor
Appleseed
2021-10-07S2W Inc.Jaeki Kim, Sojun Ryu, Kyoung-ju Kwak
@online{kim:20211007:operation:6b8234f, author = {Jaeki Kim and Sojun Ryu and Kyoung-ju Kwak}, title = {{Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?}}, date = {2021-10-07}, organization = {S2W Inc.}, url = {https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/}, language = {English}, urldate = {2021-10-14} } Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?
Appleseed Kimsuky
2021-09-02AhnLabASEC Analysis Team
@online{team:20210902:attacks:39695ea, author = {ASEC Analysis Team}, title = {{Attacks using metasploit meterpreter}}, date = {2021-09-02}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/26705/}, language = {Korean}, urldate = {2022-04-15} } Attacks using metasploit meterpreter
Appleseed Meterpreter
2021-06-11YouTube (Hack In The Box Security Conference)Linda Kuo, Zih-Cing Liao
@online{kuo:20210611:dissecting:cd60a32, author = {Linda Kuo and Zih-Cing Liao}, title = {{Dissecting Phishing Techniques Of CloudDragon APT}}, date = {2021-06-11}, organization = {YouTube (Hack In The Box Security Conference)}, url = {https://www.youtube.com/watch?v=Dv2_DK3tRgI}, language = {English}, urldate = {2021-06-22} } Dissecting Phishing Techniques Of CloudDragon APT
Appleseed BabyShark
2021-06-11TEAMT5Linda Kuo, Zih-Cing Liao
@techreport{kuo:20210611:story:897e55c, author = {Linda Kuo and Zih-Cing Liao}, title = {{Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)}}, date = {2021-06-11}, institution = {TEAMT5}, url = {https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf}, language = {English}, urldate = {2021-06-22} } Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)
Appleseed BabyShark
2021-06-01MalwarebytesHossein Jazi
@online{jazi:20210601:kimsuky:922141b, author = {Hossein Jazi}, title = {{Kimsuky APT continues to target South Korean government using AppleSeed backdoor}}, date = {2021-06-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/}, language = {English}, urldate = {2021-06-09} } Kimsuky APT continues to target South Korean government using AppleSeed backdoor
Appleseed
2021-05-07TEAMT5Jhih-Lin Kuo, Zih-Cing Liao
@techreport{kuo:20210507:we:cd620c1, author = {Jhih-Lin Kuo and Zih-Cing Liao}, title = {{"We Are About to Land": How CloudDragon Turns a Nightmare Into Reality}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf}, language = {English}, urldate = {2021-09-14} } "We Are About to Land": How CloudDragon Turns a Nightmare Into Reality
FlowerPower Appleseed BabyShark GoldDragon NavRAT
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2020-12-15KISAKrCERT
@techreport{krcert:20201215:operation:4784750, author = {KrCERT}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2021-06-04} } Operation MUZABI
Appleseed
Yara Rules
[TLP:WHITE] win_appleseed_auto (20230125 | Detects win.appleseed.)
rule win_appleseed_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.appleseed."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d93c80f0000 488bcb e8???????? 448b8374af0100 8b9370af0100 488d0d18040200 e8???????? }
            // n = 7, score = 100
            //   488d93c80f0000       | mov                 dword ptr [eax + 0x10], edi
            //   488bcb               | dec                 eax
            //   e8????????           |                     
            //   448b8374af0100       | xor                 eax, esp
            //   8b9370af0100         | dec                 eax
            //   488d0d18040200       | mov                 dword ptr [ebp + 0x160], eax
            //   e8????????           |                     

        $sequence_1 = { 48833d????????00 0f847c180000 48c745d00f000000 48895dc8 c645b800 41b840000000 488d15041e0200 }
            // n = 7, score = 100
            //   48833d????????00     |                     
            //   0f847c180000         | mov                 edx, dword ptr [eax]
            //   48c745d00f000000     | dec                 eax
            //   48895dc8             | mov                 dword ptr [esp + 0x50], 0xf
            //   c645b800             | dec                 eax
            //   41b840000000         | mov                 dword ptr [esp + 0x48], ebx
            //   488d15041e0200       | mov                 byte ptr [esp + 0x38], bl

        $sequence_2 = { 4883610800 488d052e550100 488bd9 488901 c6411000 e8???????? }
            // n = 6, score = 100
            //   4883610800           | je                  0x2e85
            //   488d052e550100       | dec                 eax
            //   488bd9               | lea                 edx, [0x21adf]
            //   488901               | dec                 eax
            //   c6411000             | lea                 ecx, [ebp - 0x48]
            //   e8????????           |                     

        $sequence_3 = { 33f6 89742450 408875e0 33d2 }
            // n = 4, score = 100
            //   33f6                 | mov                 byte ptr [ebp - 0x30], ch
            //   89742450             | xor                 eax, eax
            //   408875e0             | mov                 word ptr [ebp - 0x2f], ax
            //   33d2                 | ja                  0x577

        $sequence_4 = { 4155 4156 4157 488d6c24d9 4881eca0000000 48c745e7feffffff 48899c24f8000000 }
            // n = 7, score = 100
            //   4155                 | mov                 edx, dword ptr [eax]
            //   4156                 | dec                 eax
            //   4157                 | mov                 dword ptr [ebp + 0x70], 0xf
            //   488d6c24d9           | xor                 esi, esi
            //   4881eca0000000       | dec                 eax
            //   48c745e7feffffff     | mov                 dword ptr [ebp - 0x70], eax
            //   48899c24f8000000     | dec                 eax

        $sequence_5 = { e8???????? 48c785b00000000f000000 4889bda8000000 c6859800000000 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   48c785b00000000f000000     | mov    dword ptr [ebp - 0x28], 0xfffffffe
            //   4889bda8000000       | dec                 eax
            //   c6859800000000       | mov                 dword ptr [eax + 0x10], ebx

        $sequence_6 = { 488945b0 c745a018000000 48895da8 c745b001000000 41b900000040 4c8d45a0 488d542478 }
            // n = 7, score = 100
            //   488945b0             | xor                 eax, eax
            //   c745a018000000       | dec                 eax
            //   48895da8             | mov                 ecx, eax
            //   c745b001000000       | mov                 edi, 1
            //   41b900000040         | dec                 eax
            //   4c8d45a0             | cmp                 dword ptr [ebx + 0x18], 0x10
            //   488d542478           | jb                  0xffd

        $sequence_7 = { 488b8ba0000000 488d0543fa0000 483bc8 7405 e8???????? bf0d000000 }
            // n = 6, score = 100
            //   488b8ba0000000       | dec                 eax
            //   488d0543fa0000       | lea                 ecx, [ecx + eax*2]
            //   483bc8               | dec                 ecx
            //   7405                 | mov                 ecx, esi
            //   e8????????           |                     
            //   bf0d000000           | xor                 edx, edx

        $sequence_8 = { 488bce e8???????? 488b0e e8???????? 488bc7 488b4df0 4833cc }
            // n = 7, score = 100
            //   488bce               | dec                 eax
            //   e8????????           |                     
            //   488b0e               | lea                 ecx, [ebp + 0x148]
            //   e8????????           |                     
            //   488bc7               | nop                 
            //   488b4df0             | dec                 eax
            //   4833cc               | lea                 edx, [ebp + 0x70]

        $sequence_9 = { 4c8d056c7c0100 488bc5 49f7e9 48c1fa0d 488bc2 48c1e83f 4803d0 }
            // n = 7, score = 100
            //   4c8d056c7c0100       | lea                 ecx, [ebp + 0x40]
            //   488bc5               | dec                 eax
            //   49f7e9               | cmp                 dword ptr [ebp + 0x58], 0x10
            //   48c1fa0d             | dec                 esp
            //   488bc2               | lea                 eax, [ebp - 0x60]
            //   48c1e83f             | dec                 eax
            //   4803d0               | lea                 edx, [esp + 0x78]

    condition:
        7 of them and filesize < 497664
}
[TLP:WHITE] win_appleseed_w0   (20201015 | No description)
rule win_appleseed_w0 {
    meta:
        author = "KrCERT/CC Profound Analysis Team"
        date = "2020-12-4"
        info = "Operation MUZABI"
        hash = "43cc6d190238e851d33066cbe9be9ac8"
        hash = "fd10bd6013aabadbcb9edb8a23ba7331"
        hash = "16231e2e8991c60a42f293e0c33ff801"
        hash = "89fff6645013008cda57f88639b92990"
        hash = "030e2f992cbc4e61f0d5c994779caf3b"
        hash = "3620c22671641fbf32cf496b118b85f6"
        hash = "4876fc88c361743a1220a7b161f8f06f"
        hash = "94b8a0e4356d0202dc61046e3d8bdfe0"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed"
        malpedia_rule_date = "20201015"
        malpedia_version = "20201015"
        malpedia_license = "CC NC-BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $appleseed_str1 = {0f 8? ?? (00|01) 00 00 [0-1] 83 f? 20 0f 8? (01|00) 00 00}
        $appleseed_str2 = {88 45 [0-15] 0f b6 44 ?? 01}
        $appleseed_str3 = {83 f? 10 [0-5] 83 e? 10}
        $appleseed_key1 = {89 04 ?9 [0-6] ff 34 ?? e8 [10-16] 89 0c 98 8b ?? 0c [0-3] ff 34 98}
        $appleseed_key2 = {83 f? 10 [0-10] 32 4c 05 ?? ?? 88 4c ?? 0f}
        $appleseed_key3 = {89 04 ?9 49 83 ?? 04 48 ?? ?? 10 8b 0c a8 e8 [0-10] 48 8b ?? ?8}
        $seed_str1 = {44 0f b6 44 3d c0 45 32 c7 44 32 45 d4}
        $seed_str2 = {0f b6 44 3? ?? [0-25] 83 c4 0c}
        $seed_str3 = {32 45 c? ?? ?? ?? 32 45 e?}

    condition: 
            uint16(0) == 0x5a4d
        and
            filesize < 400KB
        and
            (2 of ($appleseed_str*))
        and
            (1 of ($seed_str*))
        and
            (1 of ($appleseed_key*))
}
Download all Yara Rules