SYMBOLCOMMON_NAMEaka. SYNONYMS
win.appleseed (Back to overview)

Appleseed

aka: JamBog

Actor(s): Kimsuky


There is no description at this point.

References
2022-11-02ASECASEC
@online{asec:20221102:appleseed:0cc5b91, author = {ASEC}, title = {{Appleseed Being Distributed to Nuclear Power Plant-Related Companies}}, date = {2022-11-02}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/41015/}, language = {English}, urldate = {2022-11-03} } Appleseed Being Distributed to Nuclear Power Plant-Related Companies
Appleseed
2022-07-21ASECASEC Analysis Team
@online{team:20220721:dissemination:586ca95, author = {ASEC Analysis Team}, title = {{Dissemination of AppleSeed to Specific Military Maintenance Companies}}, date = {2022-07-21}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/36918/}, language = {Korean}, urldate = {2022-07-25} } Dissemination of AppleSeed to Specific Military Maintenance Companies
Appleseed
2022-07-11ASECASEC
@online{asec:20220711:appleseed:c064586, author = {ASEC}, title = {{AppleSeed Disguised as Purchase Order and Request Form Being Distributed}}, date = {2022-07-11}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/36368/}, language = {English}, urldate = {2022-11-03} } AppleSeed Disguised as Purchase Order and Request Form Being Distributed
Appleseed
2022-01-05AhnLabASEC Analysis Team
@online{team:20220105:analysis:6eadabd, author = {ASEC Analysis Team}, title = {{Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)}}, date = {2022-01-05}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/30532/}, language = {English}, urldate = {2022-04-15} } Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)
Appleseed Kimsuky PEBBLEDASH
2021-11-16AhnLabASEC Analysis Team
@techreport{team:20211116:analysis:77a82f6, author = {ASEC Analysis Team}, title = {{Analysis Report of Kimsuky Group's APT Attacks (AppleSeed, PebbleDash)}}, date = {2021-11-16}, institution = {AhnLab}, url = {https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf}, language = {English}, urldate = {2022-05-04} } Analysis Report of Kimsuky Group's APT Attacks (AppleSeed, PebbleDash)
Appleseed PEBBLEDASH
2021-11-03TelsyTelsy Research Team
@online{team:20211103:dissecting:aa23c19, author = {Telsy Research Team}, title = {{Dissecting new AppleSeed backdoor of Kimsuky threat actor}}, date = {2021-11-03}, organization = {Telsy}, url = {https://www.telsy.com/download/5654/?uid=4869868efd}, language = {English}, urldate = {2021-11-08} } Dissecting new AppleSeed backdoor of Kimsuky threat actor
Appleseed
2021-10-07S2W Inc.Jaeki Kim, Sojun Ryu, Kyoung-ju Kwak
@online{kim:20211007:operation:6b8234f, author = {Jaeki Kim and Sojun Ryu and Kyoung-ju Kwak}, title = {{Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?}}, date = {2021-10-07}, organization = {S2W Inc.}, url = {https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/}, language = {English}, urldate = {2021-10-14} } Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?
Appleseed Kimsuky
2021-09-02AhnLabASEC Analysis Team
@online{team:20210902:attacks:39695ea, author = {ASEC Analysis Team}, title = {{Attacks using metasploit meterpreter}}, date = {2021-09-02}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/26705/}, language = {Korean}, urldate = {2022-04-15} } Attacks using metasploit meterpreter
Appleseed Meterpreter
2021-06-11TEAMT5Linda Kuo, Zih-Cing Liao
@techreport{kuo:20210611:story:897e55c, author = {Linda Kuo and Zih-Cing Liao}, title = {{Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)}}, date = {2021-06-11}, institution = {TEAMT5}, url = {https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf}, language = {English}, urldate = {2021-06-22} } Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)
Appleseed BabyShark
2021-06-11YouTube (Hack In The Box Security Conference)Linda Kuo, Zih-Cing Liao
@online{kuo:20210611:dissecting:cd60a32, author = {Linda Kuo and Zih-Cing Liao}, title = {{Dissecting Phishing Techniques Of CloudDragon APT}}, date = {2021-06-11}, organization = {YouTube (Hack In The Box Security Conference)}, url = {https://www.youtube.com/watch?v=Dv2_DK3tRgI}, language = {English}, urldate = {2021-06-22} } Dissecting Phishing Techniques Of CloudDragon APT
Appleseed BabyShark
2021-06-01MalwarebytesHossein Jazi
@online{jazi:20210601:kimsuky:922141b, author = {Hossein Jazi}, title = {{Kimsuky APT continues to target South Korean government using AppleSeed backdoor}}, date = {2021-06-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/}, language = {English}, urldate = {2021-06-09} } Kimsuky APT continues to target South Korean government using AppleSeed backdoor
Appleseed
2021-05-07TEAMT5Jhih-Lin Kuo, Zih-Cing Liao
@techreport{kuo:20210507:we:cd620c1, author = {Jhih-Lin Kuo and Zih-Cing Liao}, title = {{"We Are About to Land": How CloudDragon Turns a Nightmare Into Reality}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf}, language = {English}, urldate = {2021-09-14} } "We Are About to Land": How CloudDragon Turns a Nightmare Into Reality
FlowerPower Appleseed BabyShark GoldDragon NavRAT
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2020-12-15KISAKrCERT
@techreport{krcert:20201215:operation:4784750, author = {KrCERT}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2021-06-04} } Operation MUZABI
Appleseed
Yara Rules
[TLP:WHITE] win_appleseed_auto (20221125 | Detects win.appleseed.)
rule win_appleseed_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.appleseed."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d93a00f0000 488bcb e8???????? 448b8374af0100 8b9370af0100 488d0d20040200 e8???????? }
            // n = 7, score = 100
            //   488d93a00f0000       | inc                 ebp
            //   488bcb               | xor                 eax, eax
            //   e8????????           |                     
            //   448b8374af0100       | dec                 eax
            //   8b9370af0100         | lea                 edx, [ebp + 0x60]
            //   488d0d20040200       | dec                 eax
            //   e8????????           |                     

        $sequence_1 = { 4c8bc0 418bd6 498bcc e8???????? 8bd8 448bc0 }
            // n = 6, score = 100
            //   4c8bc0               | mov                 byte ptr [esp + 0x50], 0
            //   418bd6               | inc                 ebp
            //   498bcc               | xor                 eax, eax
            //   e8????????           |                     
            //   8bd8                 | dec                 eax
            //   448bc0               | mov                 edx, eax

        $sequence_2 = { 488d05697e0100 c3 4883ec28 4885c9 }
            // n = 4, score = 100
            //   488d05697e0100       | inc                 esp
            //   c3                   | mov                 eax, esi
            //   4883ec28             | xor                 edx, edx
            //   4885c9               | dec                 eax

        $sequence_3 = { 4a8b8ce900670300 498bd4 48897c2420 488b0c0e ff15???????? }
            // n = 5, score = 100
            //   4a8b8ce900670300     | mov                 dword ptr [esp + 0x20], ecx
            //   498bd4               | inc                 ecx
            //   48897c2420           | mov                 ecx, 1
            //   488b0c0e             | inc                 ebp
            //   ff15????????         |                     

        $sequence_4 = { 448bc6 442bc0 488b442450 488d0d44d40100 }
            // n = 4, score = 100
            //   448bc6               | dec                 eax
            //   442bc0               | lea                 ebp, [eax - 0xc8]
            //   488b442450           | dec                 eax
            //   488d0d44d40100       | sub                 esp, 0x1a0

        $sequence_5 = { 803c3a00 75f7 488d4c2450 4c8bc7 e8???????? }
            // n = 5, score = 100
            //   803c3a00             | mov                 ecx, dword ptr [ebp + 0x48]
            //   75f7                 | nop                 
            //   488d4c2450           | dec                 eax
            //   4c8bc7               | cmp                 dword ptr [ebp + 0xa0], 0x10
            //   e8????????           |                     

        $sequence_6 = { e8???????? 85c0 0f8555ffffff 448b742438 e9???????? 488bcf ff15???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | je                  0x1c5b
            //   0f8555ffffff         | dec                 eax
            //   448b742438           | add                 dword ptr [edi + 8], 0x20
            //   e9????????           |                     
            //   488bcf               | dec                 eax
            //   ff15????????         |                     

        $sequence_7 = { 7411 83caff 488bc8 ff15???????? bf01000000 48837b1810 }
            // n = 6, score = 100
            //   7411                 | ret                 
            //   83caff               | dec                 esp
            //   488bc8               | lea                 edx, [0x1d4dd]
            //   ff15????????         |                     
            //   bf01000000           | xor                 edx, edx
            //   48837b1810           | dec                 ebp

        $sequence_8 = { 488d15991b0200 488d4db8 e8???????? 90 488d55d8 488bc8 e8???????? }
            // n = 7, score = 100
            //   488d15991b0200       | cmp                 edx, eax
            //   488d4db8             | ja                  0x138c
            //   e8????????           |                     
            //   90                   | dec                 esp
            //   488d55d8             | lea                 edx, [0xfffe50e2]
            //   488bc8               | inc                 esp
            //   e8????????           |                     

        $sequence_9 = { ba01000000 488d4dd8 e8???????? 440fb67dd4 4983c602 48ffc7 }
            // n = 6, score = 100
            //   ba01000000           | xor                 edx, edx
            //   488d4dd8             | inc                 ecx
            //   e8????????           |                     
            //   440fb67dd4           | mov                 eax, 0x103
            //   4983c602             | dec                 eax
            //   48ffc7               | mov                 dword ptr [esp + 0x140], eax

    condition:
        7 of them and filesize < 497664
}
[TLP:WHITE] win_appleseed_w0   (20201015 | No description)
rule win_appleseed_w0 {
    meta:
        author = "KrCERT/CC Profound Analysis Team"
        date = "2020-12-4"
        info = "Operation MUZABI"
        hash = "43cc6d190238e851d33066cbe9be9ac8"
        hash = "fd10bd6013aabadbcb9edb8a23ba7331"
        hash = "16231e2e8991c60a42f293e0c33ff801"
        hash = "89fff6645013008cda57f88639b92990"
        hash = "030e2f992cbc4e61f0d5c994779caf3b"
        hash = "3620c22671641fbf32cf496b118b85f6"
        hash = "4876fc88c361743a1220a7b161f8f06f"
        hash = "94b8a0e4356d0202dc61046e3d8bdfe0"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed"
        malpedia_rule_date = "20201015"
        malpedia_version = "20201015"
        malpedia_license = "CC NC-BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $appleseed_str1 = {0f 8? ?? (00|01) 00 00 [0-1] 83 f? 20 0f 8? (01|00) 00 00}
        $appleseed_str2 = {88 45 [0-15] 0f b6 44 ?? 01}
        $appleseed_str3 = {83 f? 10 [0-5] 83 e? 10}
        $appleseed_key1 = {89 04 ?9 [0-6] ff 34 ?? e8 [10-16] 89 0c 98 8b ?? 0c [0-3] ff 34 98}
        $appleseed_key2 = {83 f? 10 [0-10] 32 4c 05 ?? ?? 88 4c ?? 0f}
        $appleseed_key3 = {89 04 ?9 49 83 ?? 04 48 ?? ?? 10 8b 0c a8 e8 [0-10] 48 8b ?? ?8}
        $seed_str1 = {44 0f b6 44 3d c0 45 32 c7 44 32 45 d4}
        $seed_str2 = {0f b6 44 3? ?? [0-25] 83 c4 0c}
        $seed_str3 = {32 45 c? ?? ?? ?? 32 45 e?}

    condition: 
            uint16(0) == 0x5a4d
        and
            filesize < 400KB
        and
            (2 of ($appleseed_str*))
        and
            (1 of ($seed_str*))
        and
            (1 of ($appleseed_key*))
}
Download all Yara Rules