# Appleseed Being Distributed to Nuclear Power Plant- Related Companies **asec.ahnlab.com/en/41015/** November 2, 2022 The ASEC analysis team has recently discovered a case of AppleSeed being distributed to nuclear power plant-related companies. AppleSeed is a backdoor malware used by Kimsuky, one of the organizations affiliated with North Korea, and this malware is being actively distributed to many companies. [AppleSeed Disguised as Purchase Order and Request Form Being Distributed](https://asec.ahnlab.com/en/36368/) The filenames of the AppleSeed dropper were identified by the ASEC analysis team as follows, and a double file extension was used to deceive users. 노**.xls.vbs (Noh**.xls.vbs) 배치도_고리2호기ISI.pdf.vbs (Layout_KoriNo2ISI.pdf.vbs) ----- Figure 1. AppleSeed dropper file When the file is executed, the encoded data inside is decoded and each file is created in the paths below. **[The same path as the vbs file]\Noh**.xls (Normal Excel bait file)** **%ProgramData%\qijWq.rSCKPC.b64 (Malicious PE file encoded in a certain** **format)** **%ProgramData%\qijWq.rSCKPC.bat (Batch file that decodes the** **qijWq.rSCKPC.b64 file)** The printed Excel file is automatically opened, making it seem as if the user has opened a normal Excel document. The Excel bait file contains texts related to nuclear power plants (See Figure 2). Figure 2. Details of the bait file In the background, the qijWq.rSCKPC.bat file in the %ProgramData% path is executed, which decodes qijWq.rSCKPC.b64, ultimately creating the qijWq.rSCKPC file (DLL PE). ----- Figure 3. Dropping malware Afterward, the dropped malware is executed via regsvr32, a program that executes DLL files. The exact execution argument is as follows. **regsvr32 /s /i:123579ASDFG C:\ProgramData\qijWq.rSCKPC** After the file is executed, the malware accesses the C2 below to receive and carry out the commands. Then, it encodes the results in a certain format to transmit to C2. **C2 : hxxp://ndt.info[.]gf/index.php** **Commands** die: Terminate getinfo: PC information where: Currently running path run: Executes certain files or commands Figure 4. Information transmitted to the server when the getinfo command is executed The attacker can use the run command to execute desired behaviors, as well as download and execute additional malware files such as AppleSeed. ----- Because the bait file is also run, users normally cannot recognize that their systems are infected by malware. As the files mentioned above mainly target certain companies, users should refrain from running attachments in emails sent from unknown sources. AhnLab’s anti-malware software, V3, is currently detecting and blocking the files using the following aliases. Figure 5. Detection using the V3 product **[File Detection]** Dropper/VBS.Generic.SC183898 Dropper/Win.AppleSeed.R531012 Dropper/VBS.VBS **[IOC Info]** 55a9a935b36da90fb5a7ab814d567a40 ba83312ea92c284c710bcc0906a29fb1 hxxp://ndt.info[.]gf/index.php **Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to** **check related IOC and detailed analysis information.** [Categories:Malware Information](https://asec.ahnlab.com/en/category/malware-information-en/) [Tagged as:AppleSeed,](https://asec.ahnlab.com/tag/appleseed/) [Kimsuky,](https://asec.ahnlab.com/en/tag/kimsuky-en/) [malware](https://asec.ahnlab.com/en/tag/malware-en/) -----