AppleSeed Malware: The Evolving Threat of the Kimsuky Group

Kimsuky (also known as Velvet Chollima and Black Banshee) is a North Korean state-backed hacker group that targets South Korean think tanks, industry, nuclear power operators, and the South Korean Ministry of Unification for espionage purposes. In recent years Kimsuky has expanded its operations to include states such as Russia, the United States, and European nations.

Kimsuky’s modus operandi primarily involves spear phishing, targeting sectors like national defense, media, and academia. Their goal is to exfiltrate sensitive information and technology. Initially focusing on South Korea, Kimsuky’s reach has expanded globally since 2017.

The hallmark of Kimsuky’s recent strategy is the use of shortcut-type malware in LNK file format, although JavaScript and malicious documents remain in their arsenal. This shift in tactics underlines their adaptability and persistent threat.

Central to Kimsuky’s operations is AppleSeed, a backdoor malware that facilitates remote system control. It can execute commands received from a C&C server, offering capabilities like keylogging, screenshots, and data theft. AppleSeed malware is often distributed via a JavaScript dropper, deceiving users by opening legitimate document files.

Shellcode for downloading Metasploit Meterpreter | Image: ASEC

The group’s persistence in using AppleSeed, despite no significant changes in the accompanying malware, is noteworthy. They continue to use the same Infostealer and RDP Patch malware, first identified in 2022, demonstrating a reliance on proven tools.

Kimsuky’s arsenal also includes AlphaSeed, developed in Golang, which shares features with AppleSeed, such as command execution and information stealing. This malware uses Chrome Remote Desktop for communication, differing from AppleSeed’s HTTP protocol or email use, according to the AhnLab Security Emergency Response Center (ASEC) report.

The group has also been observed using Metasploit’s Meterpreter for controlling infected systems and VNC malware for remote access. These tools showcase Kimsuky’s broad range of capabilities in executing targeted cyber attacks.

The Kimsuky threat group exemplifies the dynamic nature of cyber threats. Their consistent focus on South Korean users, along with a global expansion, poses a continuous challenge to cybersecurity. The group skillfully blends traditional methods with new tactics, using malware disguised as document files to gain control over systems.