Kimsuky Group Using Weaponized LNK File to Deploy AppleSeed Malware
Hackers employ weaponized LNK recordsdata to exploit vulnerabilities in Windows operating systems. These recordsdata most frequently have malicious code that is also finished when the person clicks on the shortcut.
These weaponized recordsdata enable threat actors to contain several forms of malicious activities esteem:-
- Do unauthorized entry
- Reveal malware
- Reveal malicious payload
Just recently, cybersecurity researchers at ASEC identified that the Kimsuky community has been actively utilizing the weaponized LNK file to deploy AppleSeed malware.
LNK File to Deploy AppleSeed Malware
Kimsuky, backed by North Korea, has been interesting since 2013. Within the beginning, this community hit South Korean examine institutes and later centered a South Korean energy company in 2014.
This refined community expanded its attack ground globally in 2017, and it specializes in spear phishing against:-
- Protection
- Industries
- Media
- Diplomacy
- Organizations
- Academia
The main goal of this community is to clutch inner data and technologies. The operators of this community select LNK malware nonetheless also employ:-
- JavaScript macros
- Excel macros
It’s chronic within the usage of AppleSeed, with fresh diversifications esteem AlphaSeed, and no longer easiest that even it also maintains consistency in Infostealer and RDP Patch malware since 2022.
Other than this, it notably switched from RDP to Chrome A ways-off Desktop for better alter with minimal changes to methods.
AppleSeed is controlled by threat actors and most frequently allotted through a JavaScript dropper. It installs in disguised paths esteem “%APPDATA%” or “%PROGRAMDATA%,” acting as legit programs.
AlphaSeed, a Golang malware comparable to AppleSeed, uses ChromeDP for C&C verbal exchange and diversified login methods. Kimsuky community combines AppleSeed and AlphaSeed, most frequently inserting in them collectively.
Metasploit is a penetration trying out framework that involves Meterpreter, which is also a backdoor old by Kimsuky. They also make employ of the following VNC malware:-
- TightVNC
- HVNC
For verification, the “TinyNuke,” a banking malware that aspects HVNC old by Kimsuky, employs strings esteem “AVE_MARIA,” and the Kimsuky community has been utilizing these tactics since no longer no longer as much as 2022.
Kimsuky threat community targets South Korea with fixed spear phishing, sending malware as electronic mail attachments, and running these recordsdata affords them alter over the centered gadget.
Solutions
Cybersecurity researchers entreated users to note the following recommendations:-
- Beware of unknown senders
- Steer clear of random recordsdata
- Accumulate the OS up so far
- Make certain that to update the browsers
- Accumulate the V3 up so far for the prevention
IOCs
MD5
- db5fc5cf50f8c1e19141eb238e57658c : AppleSeed (%APPDATA%Grunt condominiumProviderAdobeService.dll
- 6a968fd1608bca7255c329a0701dbf58 : AppleSeed (%APPDATA%Grunt condominiumProviderAdobeService.dll)
- cafc26b215550521a12b38de38fa802b : AppleSeed (%APPDATA%Grunt condominiumProviderAdobeService.dll)
- 76831271eb117b77a57869c80bfd6ba6 : AppleSeed (%APPDATA%FoxitReaderProviderFoxitReaderUpdate.db)
- b5d3e0c3c470d2d41967229e17259c87 : AppleSeed (%APPDATA%chromeProviderupdategoogle.dll)
- 4511e57ae1eacdf1c2922bf1a94bfb8d : AppleSeed (%APPDATA%EastSoftAccumulate watch overProviderEastSoftUpdate.dll)
- 02843206001cd952472abf5ae2b981b2 : AppleSeed (%APPDATA%FoxitReaderProviderFoxitReaderUpdate.db)
- 8aeacd58d371f57774e63d217b6b6f98 : AppleSeed (%APPDATA%AcrobatreaderProviderAcrobatReaderUpdate.db)
- cacf04cd560b70eaaf0e75f3da9a5e8f : AppleSeed (%APPDATA%ProtectSoftUpdateProviderProtectSoftUpdate.db)
- 7a7937f8d4dcb335e96db05b2fb64a1b : AppleSeed (%APPDATA%Grunt condominiumProviderAdobeService.dll)
- f3a55d49562e41c7d339fb52457513ba : AppleSeed (%APPDATA%FoxitReaderProviderFoxitReaderUpdate.db)
- 5d3ab2baacf2ad986ed7542eeabf3dab : AppleSeed Dropper
- d4ad31f316dc4ca0e7170109174827cf : AppleSeed Dropper
- 1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf : AppleSeed Dropper
- ae9593c0c80e55ff49c28e28bf8bc887 : AppleSeed Dropper
- b6f17d59f38aba69d6da55ce36406729 : AppleSeed Dropper
- 153383634ee35b7db6ab59cde68bf526 : AppleSeed Dropper
- c560d3371a16ef17dd79412f6ea99d3a : AppleSeed Dropper
- 0cce02d2d835a996ad5dfc0406b44b01 : AppleSeed Dropper
- d94c6323c3f77965451c0b7ebeb32e13 : AlphaSeed (%USERPROFILE%.edgeedgemgmt.dat)
- 52ff761212eeaadcd3a95a1f8cce4030 : AlphaSeed (%USERPROFILE%.edgeedgemgmt.dat)
- 4cb843f2a5b6ed7e806c69e6c25a1025 : AlphaSeed (%USERPROFILE%.edgeedgemgmt.dat)
- b6ab96dc4778c6704b6def5db448a020 : AlphaSeed (%USERPROFILE%.edgeedgemgmt.dat)
- 232046aff635f1a5d81e415ef64649b7 : Meterpreter (%PROGRAMDATA%atmosphere.dat)
- 58fafabd6ae8360c9d604cd314a27159 : Meterpreter (%SystemRoot%system32atmosphere.db)
- e582bd909800e87952eb1f206a279e47 : Meterpreter (%SystemRoot%system32carrier.db)
- ac99b5c1d66b5f0ddb4423c627ca8333 : Meterpreter
- e34669d56a13d607da1f76618eb4b27e : TinyNuke (HVNC)
- ee76638004c68cfc34ff1fea2a7565a7 : TightVNC
C&C URL
- hxxp://bitburny.kro[.]kr/aha/ : AppleSeed
- hxxp://bitthum.kro[.]kr/hu/ : AppleSeed
- hxxp://doma2.o-r[.]kr// : AppleSeed
- hxxp://my.topton.r-e[.]kr/tackle/ : AppleSeed
- hxxp://nobtwoseb1.n-e[.]kr// : AppleSeed
- hxxp://octseven1.p-e[.]kr// : AppleSeed
- hxxp://tehyeran1.r-e[.]kr// : AppleSeed
- hxxp://update.ahnlaib.kro[.]kr/aha/ : AppleSeed
- hxxp://update.doumi.kro[.]kr/aha/ : AppleSeed
- hxxp://update.onedrive.p-e[.]kr/aha/ : AppleSeed
- hxxp://yes24.r-e[.]kr/aha/ : AppleSeed
- 104.168.145[.]83:993 : Meterpreter
- 159.100.6[.]137:993 : Meterpreter
- 38.110.1[.]69:993 : Meterpreter
- 107.148.71[.]88:993 : Meterpreter
- forty five.114.129[.]138:33890 : TinyNuke (HVNC)
- forty five.114.129[.]138:5500 : TightVNC
Source credit : cybersecuritynews.com