SYMBOLCOMMON_NAMEaka. SYNONYMS
win.appleseed (Back to overview)

Appleseed

Actor(s): Kimsuky


There is no description at this point.

References
2021-06-11TEAMT5Linda Kuo, Zih-Cing Liao
@techreport{kuo:20210611:story:897e55c, author = {Linda Kuo and Zih-Cing Liao}, title = {{Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)}}, date = {2021-06-11}, institution = {TEAMT5}, url = {https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf}, language = {English}, urldate = {2021-06-22} } Story of the ‘Phisherman’ -Dissecting Phishing Techniques of CloudDragon APT (slides)
Appleseed BabyShark
2021-06-11YouTube (Hack In The Box Security Conference)Linda Kuo, Zih-Cing Liao
@online{kuo:20210611:dissecting:cd60a32, author = {Linda Kuo and Zih-Cing Liao}, title = {{Dissecting Phishing Techniques Of CloudDragon APT}}, date = {2021-06-11}, organization = {YouTube (Hack In The Box Security Conference)}, url = {https://www.youtube.com/watch?v=Dv2_DK3tRgI}, language = {English}, urldate = {2021-06-22} } Dissecting Phishing Techniques Of CloudDragon APT
Appleseed BabyShark
2021-06-01MalwarebytesHossein Jazi
@online{jazi:20210601:kimsuky:922141b, author = {Hossein Jazi}, title = {{Kimsuky APT continues to target South Korean government using AppleSeed backdoor}}, date = {2021-06-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/}, language = {English}, urldate = {2021-06-09} } Kimsuky APT continues to target South Korean government using AppleSeed backdoor
Appleseed
2021-05-07TEAMT5Jhih-Lin Kuo, Zih-Cing Liao
@techreport{kuo:20210507:we:cd620c1, author = {Jhih-Lin Kuo and Zih-Cing Liao}, title = {{"We Are About to Land": How CloudDragon Turns a Nightmare Into Reality}}, date = {2021-05-07}, institution = {TEAMT5}, url = {https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf}, language = {English}, urldate = {2021-06-22} } "We Are About to Land": How CloudDragon Turns a Nightmare Into Reality
Appleseed BabyShark
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-12-15KISAKrCERT
@techreport{krcert:20201215:operation:4784750, author = {KrCERT}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2021-06-04} } Operation MUZABI
Appleseed
Yara Rules
[TLP:WHITE] win_appleseed_auto (20210616 | Detects win.appleseed.)
rule win_appleseed_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.appleseed."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d45e0 4983c8ff 49ffc0 42803c0000 75f6 488d55e0 488d4c2430 }
            // n = 7, score = 100
            //   488d45e0             | mov                 dword ptr [ebp + 0x158], esi
            //   4983c8ff             | mov                 byte ptr [ebp + 0x148], 0
            //   49ffc0               | dec                 eax
            //   42803c0000           | lea                 ecx, dword ptr [ebp - 0x40]
            //   75f6                 | test                eax, eax
            //   488d55e0             | jne                 0x14f2
            //   488d4c2430           | dec                 eax

        $sequence_1 = { 4533f6 418bfe 488b4118 488b10 48c785e00000000f000000 4c89b5d8000000 4088bdc8000000 }
            // n = 7, score = 100
            //   4533f6               | dec                 eax
            //   418bfe               | xor                 eax, esp
            //   488b4118             | dec                 eax
            //   488b10               | mov                 dword ptr [ebp + 0x47], eax
            //   48c785e00000000f000000     | xor    edi, edi
            //   4c89b5d8000000       | mov                 dword ptr [ebp + 0x3f], edi
            //   4088bdc8000000       | dec                 eax

        $sequence_2 = { 33f6 48897568 40887558 403832 7505 448bc6 eb11 }
            // n = 7, score = 100
            //   33f6                 | inc                 ebp
            //   48897568             | xor                 eax, eax
            //   40887558             | dec                 eax
            //   403832               | mov                 edx, eax
            //   7505                 | dec                 eax
            //   448bc6               | lea                 ecx, dword ptr [ebp + 0x30]
            //   eb11                 | dec                 eax

        $sequence_3 = { 48833d????????00 0f842c160000 48c745d00f000000 48895dc8 c645b800 41b836000000 488d15ac1c0200 }
            // n = 7, score = 100
            //   48833d????????00     |                     
            //   0f842c160000         | mov                 dword ptr [ebp + 0x30], eax
            //   48c745d00f000000     | inc                 ebp
            //   48895dc8             | mov                 esi, eax
            //   c645b800             | dec                 eax
            //   41b836000000         | mov                 edi, edx
            //   488d15ac1c0200       | dec                 eax

        $sequence_4 = { 4881ec80000000 48c745b8feffffff 488b05???????? 4833c4 488945f0 498bf0 488bda }
            // n = 7, score = 100
            //   4881ec80000000       | jb                  0x537
            //   48c745b8feffffff     | dec                 eax
            //   488b05????????       |                     
            //   4833c4               | mov                 ecx, dword ptr [ebp + 0x58]
            //   488945f0             | dec                 eax
            //   498bf0               | mov                 eax, dword ptr [eax]
            //   488bda               | dec                 eax

        $sequence_5 = { 72ed 48833d????????00 741f 488d0de2dc0100 }
            // n = 4, score = 100
            //   72ed                 | lea                 ecx, dword ptr [0x258da]
            //   48833d????????00     |                     
            //   741f                 | int3                
            //   488d0de2dc0100       | dec                 eax

        $sequence_6 = { 41b8ff030000 488d4d21 e8???????? 448bc6 488d15da3b0200 488d4d20 e8???????? }
            // n = 7, score = 100
            //   41b8ff030000         | dec                 eax
            //   488d4d21             | mov                 dword ptr [ebp - 0x48], ecx
            //   e8????????           |                     
            //   448bc6               | inc                 ebp
            //   488d15da3b0200       | xor                 ebp, ebp
            //   488d4d20             | inc                 ecx
            //   e8????????           |                     

        $sequence_7 = { 90 488d4db8 e8???????? 48833d????????00 0f84df060000 488d151d180200 488d4db8 }
            // n = 7, score = 100
            //   90                   | lea                 edx, dword ptr [ebp + 0x10]
            //   488d4db8             | dec                 eax
            //   e8????????           |                     
            //   48833d????????00     |                     
            //   0f84df060000         | lea                 ecx, dword ptr [esp + 0x20]
            //   488d151d180200       | mov                 byte ptr [esp + 0x20], 0
            //   488d4db8             | dec                 ecx

        $sequence_8 = { 7208 498b0f e8???????? 49c747180f000000 49897710 41c60700 49837d1810 }
            // n = 7, score = 100
            //   7208                 | mov                 ebx, edi
            //   498b0f               | dec                 eax
            //   e8????????           |                     
            //   49c747180f000000     | mov                 esi, edi
            //   49897710             | dec                 eax
            //   41c60700             | sar                 esi, 5
            //   49837d1810           | dec                 esp

        $sequence_9 = { 4c8d05df770000 418d5216 e8???????? 85c0 0f8544090000 b805000000 }
            // n = 6, score = 100
            //   4c8d05df770000       | dec                 eax
            //   418d5216             | lea                 edx, dword ptr [0x1c18d]
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   0f8544090000         | lea                 ecx, dword ptr [esp + 0x40]
            //   b805000000           | mov                 byte ptr [esp + 0x40], 0

    condition:
        7 of them and filesize < 497664
}
[TLP:WHITE] win_appleseed_w0   (20201015 | No description)
rule win_appleseed_w0 {
    meta:
        author = "KrCERT/CC Profound Analysis Team"
        date = "2020-12-4"
        info = "Operation MUZABI"
        hash = "43cc6d190238e851d33066cbe9be9ac8"
        hash = "fd10bd6013aabadbcb9edb8a23ba7331"
        hash = "16231e2e8991c60a42f293e0c33ff801"
        hash = "89fff6645013008cda57f88639b92990"
        hash = "030e2f992cbc4e61f0d5c994779caf3b"
        hash = "3620c22671641fbf32cf496b118b85f6"
        hash = "4876fc88c361743a1220a7b161f8f06f"
        hash = "94b8a0e4356d0202dc61046e3d8bdfe0"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed"
        malpedia_rule_date = "20201015"
        malpedia_version = "20201015"
        malpedia_license = "CC NC-BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $appleseed_str1 = {0f 8? ?? (00|01) 00 00 [0-1] 83 f? 20 0f 8? (01|00) 00 00}
        $appleseed_str2 = {88 45 [0-15] 0f b6 44 ?? 01}
        $appleseed_str3 = {83 f? 10 [0-5] 83 e? 10}
        $appleseed_key1 = {89 04 ?9 [0-6] ff 34 ?? e8 [10-16] 89 0c 98 8b ?? 0c [0-3] ff 34 98}
        $appleseed_key2 = {83 f? 10 [0-10] 32 4c 05 ?? ?? 88 4c ?? 0f}
        $appleseed_key3 = {89 04 ?9 49 83 ?? 04 48 ?? ?? 10 8b 0c a8 e8 [0-10] 48 8b ?? ?8}
        $seed_str1 = {44 0f b6 44 3d c0 45 32 c7 44 32 45 d4}
        $seed_str2 = {0f b6 44 3? ?? [0-25] 83 c4 0c}
        $seed_str3 = {32 45 c? ?? ?? ?? 32 45 e?}

    condition: 
            uint16(0) == 0x5a4d
        and
            filesize < 400KB
        and
            (2 of ($appleseed_str*))
        and
            (1 of ($seed_str*))
        and
            (1 of ($appleseed_key*))
}
Download all Yara Rules