# AppleSeed Disguised as Purchase Order and Request Form Being Distributed **asec.ahnlab.com/en/36368/** July 11, 2022 The ASEC analysis team has recently discovered the distribution of AppleSeed disguised as purchase orders and request forms. AppleSeed is a backdoor malware mainly used by the Kimsuky group. It stays in the system and performs malicious behaviors by receiving commands from attackers. [Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)](https://asec.ahnlab.com/en/30532/) The malware is currently being distributed under the following filenames. Purchase order-**-2022****-001-National Tax Service additionally implementing security sensors in 5 regional tax offices_***.jse Request form(general manager ***).jse The JSE (JScript Encoded File) file consists of JavaScript, and when it is run, it drops AppleSeed backdoor file (DLL file) and the purchase order PDF file that acts as bait in the %ProgramData% path. After then, PDF file is automatically run (see Figure 2). ----- Figure 1. Dropping malware and PDF file used as bait Figure 2. Details of PDF file The file uses regsvr32.exe to decode and run the backdoor file (area shaded with purple) and mshta.exe to download and run additional scripts (area shaded with red). ----- Figure 3. Running AppleSeed and downloading additional scripts When the scripts are run, the following information is stolen and sent to the C2. Basic information of the PC (PC name, OS version, processor, and memory) User account credentials Network information (IP address, routing table, port usage information, and ARP list) List of running processes and services Folders and files within ProgramFiles / Programs within the Start menu / List of recent files Figure 4. Information stolen using additionally downloaded scripts The AppleSeed backdoor file continuously receives commands from the C2 server to download and run additional modules, or perform behaviors that the attacker wishes to [perform. For a detailed analysis of AppleSeed, refer to the following link.](https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf) The figure below shows the overall process tree after the scripts are run. ----- Figure 5. Process tree Because the bait file is also run, users normally cannot recognize that their systems are infected by malware. As the files mentioned above mainly target certain companies, users should refrain from running attachments in emails sent from unknown sources. AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases. ----- Figure 6. Detection and blocking by V3 **[File Detection]** Dropper/JS.Generic Backdoor/Win.AppleSeed.R499775 **[IOC Info]** 7d445b39a090b486aaa002b282b4d8cb 67e7e8600a57e9430a43bf8c5f98c6bd ec9dcef04c5c89d6107d23b0668cc1c1 1ae2e46aac55e7f92c72b56b387bc945 hxxp://dirwear.000webhostapp[.]com (C2 for stealing information) hxxp://gerter.getenjoyment[.]net (C2 for AppleSeed backdoor file) **Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to** **check related IOC and detailed analysis information.** [Categories:Malware Information](https://asec.ahnlab.com/en/category/malware-information-en/) [Tagged as:AppleSeed,](https://asec.ahnlab.com/tag/appleseed/) [APT,](https://asec.ahnlab.com/en/tag/apt-en/) [Kimsuky,](https://asec.ahnlab.com/en/tag/kimsuky-en/) [malware](https://asec.ahnlab.com/en/tag/malware-en/) -----