Kimsuky 그룹의 AppleSeed 악성코드 공격 동향 분석

2023-12-22 • Ahnlab • Analysis of Kimsuky Group's AppleSeed malware attack trends •

https://asec.ahnlab.com/ko/59933/

#Kimsuky #AppleSeed

Thumbnail for Kimsuky 그룹의 AppleSeed 악성코드 공격 동향 분석

AhnLab describes continued Kimsuky use of AppleSeed, a backdoor that can execute operator commands, download additional malware, log keystrokes, capture screens, and collect files from infected systems. Recent cases changed the installation flow by adding a dropper and argument checks before regsvr32 installs the AppleSeed DLL, making standalone sandbox execution less reliable. The report also covers AlphaSeed, a Go based AppleSeed variant that uses ChromeDP and email account cookies for C2 communications, plus Kimsuky’s continued use of Meterpreter and custom VNC tools such as TightVNC and TinyNuke HVNC. The activity shows Kimsuky keeping older AppleSeed tradecraft while shifting remote control and installation details.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	e582bd909800e87952eb1f206a279e47	2023-12-22	2024-06-11
HASH	232046aff635f1a5d81e415ef64649b7	2023-12-22	2024-06-11
IPv4	104.168.145.83	2023-12-22	2024-06-11
IPv4	38.110.1.69	2023-12-22	2024-06-11
HASH	4511e57ae1eacdf1c2922bf1a94bfb8d	2023-12-22	2023-12-28
HASH	b6ab96dc4778c6704b6def5db448a020	2023-12-22	2023-12-28
HASH	f3a55d49562e41c7d339fb52457513ba	2023-12-22	2023-12-28
HASH	ae9593c0c80e55ff49c28e28bf8bc887	2023-12-22	2023-12-28
HASH	ee76638004c68cfc34ff1fea2a7565a7	2023-12-22	2023-12-28
HASH	d94c6323c3f77965451c0b7ebeb32e13	2023-12-22	2023-12-28
HASH	e34669d56a13d607da1f76618eb4b27e	2023-12-22	2023-12-28
HASH	b5d3e0c3c470d2d41967229e17259c87	2023-12-22	2023-12-28
HASH	52ff761212eeaadcd3a95a1f8cce4030	2023-12-22	2023-12-28
HASH	db5fc5cf50f8c1e19141eb238e57658c	2023-12-22	2023-12-28
HASH	ac99b5c1d66b5f0ddb4423c627ca8333	2023-12-22	2023-12-28
HASH	76831271eb117b77a57869c80bfd6ba6	2023-12-22	2023-12-28
HASH	58fafabd6ae8360c9d604cd314a27159	2023-12-22	2023-12-28
HASH	1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf	2023-12-22	2023-12-28
HASH	153383634ee35b7db6ab59cde68bf526	2023-12-22	2023-12-28
HASH	cafc26b215550521a12b38de38fa802b	2023-12-22	2023-12-28
HASH	02843206001cd952472abf5ae2b981b2	2023-12-22	2023-12-28
HASH	cacf04cd560b70eaaf0e75f3da9a5e8f	2023-12-22	2023-12-28
HASH	0cce02d2d835a996ad5dfc0406b44b01	2023-12-22	2023-12-28
HASH	c560d3371a16ef17dd79412f6ea99d3a	2023-12-22	2023-12-28
HASH	5d3ab2baacf2ad986ed7542eeabf3dab	2023-12-22	2023-12-28
HASH	7a7937f8d4dcb335e96db05b2fb64a1b	2023-12-22	2023-12-28
HASH	d4ad31f316dc4ca0e7170109174827cf	2023-12-22	2023-12-28
HASH	b6f17d59f38aba69d6da55ce36406729	2023-12-22	2023-12-28
HASH	4cb843f2a5b6ed7e806c69e6c25a1025	2023-12-22	2023-12-28
HASH	6a968fd1608bca7255c329a0701dbf58	2023-12-22	2023-12-28
HASH	8aeacd58d371f57774e63d217b6b6f98	2023-12-22	2023-12-28
URL	http://yes24.r-e.kr/aha/	2023-12-22	2023-12-28
URL	http://nobtwoseb1.n-e.kr//	2023-12-22	2023-12-28
URL	http://bitburny.kro.kr/aha/	2023-12-22	2023-12-28
URL	http://update.ahnlaib.kro.kr/ah…	2023-12-22	2023-12-28
URL	http://update.onedrive.p-e.kr/a…	2023-12-22	2023-12-28
URL	http://doma2.o-r.kr//	2023-12-22	2023-12-28
URL	http://octseven1.p-e.kr//	2023-12-22	2023-12-28
URL	http://bitthum.kro.kr/hu/	2023-12-22	2023-12-28
URL	http://update.doumi.kro.kr/aha/	2023-12-22	2023-12-28
URL	http://tehyeran1.r-e.kr//	2023-12-22	2023-12-28
URL	http://my.topton.r-e.kr/address/	2023-12-22	2023-12-28
DOMAIN	yes24.r-e.kr	2023-12-22	2023-12-28
DOMAIN	update.ahnlaib.kro.kr	2023-12-22	2023-12-28
DOMAIN	nobtwoseb1.n-e.kr	2023-12-22	2023-12-28
DOMAIN	doma2.o-r.kr	2023-12-22	2023-12-28
DOMAIN	update.doumi.kro.kr	2023-12-22	2023-12-28
DOMAIN	update.onedrive.p-e.kr	2023-12-22	2023-12-28
DOMAIN	octseven1.p-e.kr	2023-12-22	2023-12-28
DOMAIN	bitburny.kro.kr	2023-12-22	2023-12-28
DOMAIN	tehyeran1.r-e.kr	2023-12-22	2023-12-28
DOMAIN	bitthum.kro.kr	2023-12-22	2023-12-28
DOMAIN	my.topton.r-e.kr	2023-12-22	2023-12-28
IPv4	159.100.6.137	2023-12-22	2023-12-28
IPv4	45.114.129.138	2023-12-22	2023-12-28
IPv4	107.148.71.88	2023-12-22	2023-12-28