Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)

This document is an analysis report on types of malware recently utilized by the Kimsuky group. The Kimsuky group is mainly known for launching social engineering attacks such as spear phishing. Judging by the names of the attached files, the group seems to be targeting those working in the fields related to North Korea and foreign affairs. According to the scan logs of AhnLab’s ASD infrastructure, the threat group has been mainly targeting personal users rather than companies, but has... The post Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash) appeared first on ASEC BLOG.

Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)

This document is an analysis report on types of malware recently utilized by the Kimsuky group. The Kimsuky group is mainly known for launching social engineering attacks such as spear phishing. Judging by the names of the attached files, the group seems to be targeting those working in the fields related to North Korea and foreign affairs. According to the scan logs of AhnLab’s ASD infrastructure, the threat group has been mainly targeting personal users rather than companies, but has also been continuously attacking public institutions and companies. Korean universities have been one of their major targets, but records exist of them attacking IT, information and communications, and construction institutions as well.

Normally, malware strains assumed to be attachments of spear phishing attack emails are disguised as document files. If a user runs the file, malware of this type runs the document that corresponds to the disguised file name and tricks the user into thinking that they have opened a normal file. It installs additional malware strains at the same time, mainly AppleSeed and PebbleDash. AppleSeed has been present since 2019 and when compared to other malware strains based on the IOCs organized by AhnLab, it takes up a significant portion due to being used in various other attacks. PebbleDash is one of the NukeSped variants, known for having been used by the Lazarus group since the past. Recently, it has been found that a new variant is being used for attacks along with AppleSeed.

They are both backdoors used by the Kimsuky group that can stay in the system and perform malicious behaviors by receiving commands from the attacker. The attacker can use backdoor to install another remote control malware such as Meterpreter and HVNC, or various other types of malware for privilege escalation and account credential theft.

This report will analyze the overall flow of attacks using AppleSeed and PebbleDash, starting from malware strains that are initially distributed. As both malware types are not confined to a single form, the report will compare each type and focus on similarities and differences, and also explain in detail other types of malware that the two malware additionally install.

____

Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)

____

Contents
Overview
1. Distribution Method
…. 1.1. Script
…. 1.2. Executable File (pif)
…….. 1.2.1. Thread #1
…….. 1.2.2. Thread #2
…….. 1.2.3. Thread #3
…….. 1.2.4. Thread #4
…. 1.3. Additional Script
…….. 1.3.1. Primary Script
…….. 1.3.2. Secondary Script
2. Analysis of Downloader Malware
…. 2.1. Downloader
…….. 2.1.1. Install Process
…….. 2.1.2. Downloader Behavior
3. Analysis of AppleSeed
…. 3.1. Analysis of Default Features
…….. 3.1.1. Initial Routine
…….. 3.1.2. Installation
…….. 3.1.3. Privilege Escalation
…….. 3.1.4. Thread
…. 3.2. Analysis of Info-stealing Feature
…….. 3.2.1. Information Theft
…….. 3.2.2. Additional Commands
…. 3.3. C&C Communications Using Emails
…….. 3.2.1. Ping Thread (SMTP)
…….. 3.2.2. Command Thread (IMAP)
4. Analysis of PebbleDash
…. 4.1. Analysis of Initial PebbleDash
…….. 4.1.1. Initial Routine
…….. 4.1.2. Recovering Settings Data
…….. 4.1.3. C&C Communications
…….. 4.1.4. Performing Commands
…. 4.2. Analysis of Latest PebbleDash
…….. 4.2.1. Initial Routine
…….. 4.2.2. Recovering Settings Data
…….. 4.2.3. C&C Communications
…….. 4.2.4. Performing Commands
5. Post Infection
…. 5.1. Remote Control
…….. 5.1.1. Meterpreter
…….. 5.1.2. HVNC (TinyNuke)
…….. 5.1.3. TightVNC
…….. 5.1.4. RDP Wrapper
…. 5.2. RDP Related
…….. 5.2.1. Adding RDP User
…….. 5.2.2. RDP Patcher
…. 5.3. Privilege Escalation
…….. 5.3.1. UACMe
…….. 5.3.2. CVE-2021-1675 Vulnerability
…. 5.4. Collecting Information
…….. 5.4.1. Mimikatz
…….. 5.4.2. Collecting Chrome Account Credentials
…….. 5.4.3. Keylogger
…. 5.5. Others
…….. 5.5.1. Proxy Malware
AhnLab’s Response
Conclusion
IOC (Indicators Of Compromise)
File Path and Name
File Hashes (MD5)
Related Domain, URL, and IP Address

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash) appeared first on ASEC BLOG.