Open Hunting - Threat Library

Openhunting Threat Library

AppleSeed

AppleSeed, JamBog

(Type: Backdoor)

AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.

[News Analysis] Trends:

Total Trend: 0

Trend Per Year

Trend Per Month

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

1/19

execution

4/36

persistence

1/113

privilege escalation

2/96

defense evasion

8/184

credential access

1/63

discovery

5/44

lateral movement

0/22

collection

8/37

command and control

2/39

exfiltration

3/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
		T1566.001 Phishing : Spearphishing Attachment	T1059.001 Command And Scripting Interpreter : Powershell T1059.007 Command And Scripting Interpreter : Javascript T1106 Native Api T1204.002 User Execution : Malicious File	T1547.001 Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder	T1134 Access Token Manipulation T1547.001 Boot Or Logon Autostart Execution : Registry Run Keys / Startup Folder	T1134 Access Token Manipulation T1140 Deobfuscate/decode Files Or Information T1070.004 Indicator Removal : File Deletion T1036 Masquerading T1036.005 Masquerading : Match Legitimate Name Or Location T1027 Obfuscated Files Or Information T1027.002 Obfuscated Files Or Information : Software Packing T1218.010 System Binary Proxy Execution : Regsvr32	T1056.001 Input Capture : Keylogging	T1083 File And Directory Discovery T1057 Process Discovery T1082 System Information Discovery T1016 System Network Configuration Discovery T1124 System Time Discovery		T1560 Archive Collected Data T1560.001 Archive Collected Data : Archive Via Utility T1119 Automated Collection T1005 Data From Local System T1025 Data From Removable Media T1074.001 Data Staged : Local Data Staging T1056.001 Input Capture : Keylogging T1113 Screen Capture	T1071.001 Application Layer Protocol : Web Protocols T1008 Fallback Channels	T1030 Data Transfer Size Limits T1041 Exfiltration Over C2 Channel T1567 Exfiltration Over Web Service

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

Basic Information (Credit @etda.or.th)

Tool: AppleSeed

Names: AppleSeed, JamBog

Description: AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.

Category: Malware

Type: Backdoor

Information: https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite

Information: https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

Mitre-attack: https://attack.mitre.org/software/S0622/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed

Last-card-change: 2022-12-30

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
		T1566.001 PHISHING : SPEARPHISHING ATTACHMENT appleseed has been distributed to victims through malicious e-mail attachments.	T1059.001 COMMAND AND SCRIPTING INTERPRETER : POWERSHELL appleseed has the ability to execute its payload via powershell. T1059.007 COMMAND AND SCRIPTING INTERPRETER : JAVASCRIPT appleseed has the ability to use javascript to execute powershell. T1106 NATIVE API appleseed has the ability to use multiple dynamically resolved api calls. T1204.002 USER EXECUTION : MALICIOUS FILE appleseed can achieve execution through users running malicious file attachments distributed via email.	T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER appleseed has the ability to create the registry key name estsoftautoupdate at hkcu\software\microsoft/windows\currentversion\runonce to establish persistence.	T1134 ACCESS TOKEN MANIPULATION appleseed can gain system level privilege by passing sedebugprivilege to the adjusttokenprivilege api. T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER appleseed has the ability to create the registry key name estsoftautoupdate at hkcu\software\microsoft/windows\currentversion\runonce to establish persistence.	T1134 ACCESS TOKEN MANIPULATION appleseed can gain system level privilege by passing sedebugprivilege to the adjusttokenprivilege api. T1140 DEOBFUSCATE/DECODE FILES OR INFORMATION appleseed can decode its payload prior to execution. T1070.004 INDICATOR REMOVAL : FILE DELETION appleseed can delete files from a compromised host after they are exfiltrated. T1036 MASQUERADING appleseed can disguise javascript files as pdfs. T1036.005 MASQUERADING : MATCH LEGITIMATE NAME OR LOCATION appleseed has the ability to rename its payload to estcommon.dll to masquerade as a dll belonging to estsecurity. T1027 OBFUSCATED FILES OR INFORMATION appleseed has the ability to base64 encode its payload and custom encrypt api calls. T1027.002 OBFUSCATED FILES OR INFORMATION : SOFTWARE PACKING appleseed has used upx packers for its payload dll. T1218.010 SYSTEM BINARY PROXY EXECUTION : REGSVR32 appleseed can call regsvr32.exe for execution.	T1056.001 INPUT CAPTURE : KEYLOGGING appleseed can use getkeystate and getkeyboardstate to capture keystrokes on the victim’s machine.	T1083 FILE AND DIRECTORY DISCOVERY appleseed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories. T1057 PROCESS DISCOVERY appleseed can enumerate the current process on a compromised host. T1082 SYSTEM INFORMATION DISCOVERY appleseed can identify the os version of a targeted system. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY appleseed can identify the ip of a targeted system. T1124 SYSTEM TIME DISCOVERY appleseed can pull a timestamp from the victim's machine.		T1560 ARCHIVE COLLECTED DATA appleseed has compressed collected data before exfiltration. T1560.001 ARCHIVE COLLECTED DATA : ARCHIVE VIA UTILITY appleseed can zip and encrypt data collected on a target system. T1119 AUTOMATED COLLECTION appleseed has automatically collected data from usb drives, keystrokes, and screen images before exfiltration. T1005 DATA FROM LOCAL SYSTEM appleseed can collect data on a compromised host. T1025 DATA FROM REMOVABLE MEDIA appleseed can find and collect data from removable media devices. T1074.001 DATA STAGED : LOCAL DATA STAGING appleseed can stage files in a central location prior to exfiltration. T1056.001 INPUT CAPTURE : KEYLOGGING appleseed can use getkeystate and getkeyboardstate to capture keystrokes on the victim’s machine. T1113 SCREEN CAPTURE appleseed can take screenshots on a compromised host by calling a series of apis.	T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS appleseed has the ability to communicate with c2 over http. T1008 FALLBACK CHANNELS appleseed can use a second channel for c2 when the primary channel is in upload mode.	T1030 DATA TRANSFER SIZE LIMITS appleseed has divided files if the size is 0x1000000 bytes or more. T1041 EXFILTRATION OVER C2 CHANNEL appleseed can exfiltrate files via the c2 channel. T1567 EXFILTRATION OVER WEB SERVICE appleseed has exfiltrated files using web services.