Rewterz Threat Alert – The Latest Attacks by Kimsuky APT Use AppleSeed, MeterPreter, and TinyNuke – Active IOCs

Severity

High

Analysis Summary

Threat actors have been observed using spear-phishing attacks to deploy various backdoors and tools, including AppleSeed, MeterPreter, and TinyNuke, to compromise machines. A cybersecurity company attributes these activities to Kimsuky, a North Korean advanced persistent threat group active for over a decade. Kimsuky, recently sanctioned by the U.S. government, has expanded its focus beyond South Korea since 2017.

Researchers reveal that AppleSeed, a notable Windows-based backdoor employed by Kimsuky, has been active since May 2019 and has evolved with an Android version and a Golang variant called AlphaSeed. Both AppleSeed and AlphaSeed are designed to receive instructions from a command-and-control server, drop additional payloads, and exfiltrate sensitive data like files, keystrokes, and screenshots. AlphaSeed, developed in Golang, utilizes chromedp for communication with the command-and-control server, contrasting with AppleSeed’s reliance on HTTP or SMTP protocols.

Evidence suggests Kimsuky has been using AlphaSeed in attacks since October 2022, with instances where both AppleSeed and AlphaSeed are deployed on the same target system via a JavaScript dropper. The threat actor also utilizes MeterPreter and VNC malware like TightVNC and TinyNuke for system control.

Another researcher has uncovered online personas on LinkedIn and GitHub likely used by North Korean IT workers to fraudulently secure remote employment in the U.S., providing a revenue stream for the regime. These personas claim proficiency in various applications and experience in crypto and blockchain transactions, seeking remote-only positions in the technology sector.

North Korean threat groups have increasingly targeted blockchain and cryptocurrency firms to steal intellectual property and virtual assets, employing novel tactics and exploiting supply chain weaknesses. The country’s adept and aggressive cyber capabilities challenge perceptions of it being a “Hermit Kingdom” in the cyber domain, emphasizing its serious role in evading international sanctions and engaging in illicit profit schemes.

Impact

• Data Exfiltration
• Sensitive Information Theft
• Financial Loss

Indicators of Compromise

MD5

• f3a55d49562e41c7d339fb52457513ba
• 1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf

SHA-256

• 08d740277e6c3ba06cf6e4806132d8956795b64bb32a1433a5f09bdf941a1b72
• cbdcf6224aa15c70a22346594d1956c0589a9411beb75a003eaccb15db4370a5

SHA-1

• 88ac3915d4204818d3360ac930497921fd35f44e
• 5d41e15aba6d89fe99b96e53a3c9d18da7e019a6

URL

• http://bitburny.kro.kr/aha/
• http://bitthum.kro.kr/hu/
• http://doma2.o-r.kr/
• http://my.topton.r-e.kr/address/
• http://nobtwoseb1.n-e.kr/
• http://octseven1.p-e.kr/
• http://tehyeran1.r-e.kr/
• http://update.ahnlaib.kro.kr/aha/
• http://update.doumi.kro.kr/aha/
• http://update.onedrive.p-e.kr/aha/
• http://yes24.r-e.kr/aha/

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• it is also recommended that individuals and organizations use secure and encrypted communication channels, such as VPNs and encrypted email when transmitting sensitive information.
• Additionally, the use of multi-factor authentication can help to reduce the risk of sensitive information being stolen by attackers.