Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

AppleSeed

AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.(Citation: Malwarebytes Kimsuky June 2021)

ID: S0622

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 10 Jun 2021

Last Modified: 15 Mar 2022

Domain	ID		Name	Use
Techniques Used
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	AppleSeed has the ability to communicate with C2 over HTTP.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	AppleSeed can zip and encrypt data collected on a target system.(Citation: Malwarebytes Kimsuky June 2021)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	AppleSeed has the ability to create the Registry key name `EstsoftAutoUpdate` at `HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce` to establish persistence.(Citation: Malwarebytes Kimsuky June 2021)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	AppleSeed has the ability to execute its payload via PowerShell.(Citation: Malwarebytes Kimsuky June 2021)
		.007	Command and Scripting Interpreter: JavaScript	AppleSeed has the ability to use JavaScript to execute PowerShell.(Citation: Malwarebytes Kimsuky June 2021)
Enterprise	T1074	.001	Data Staged: Local Data Staging	AppleSeed can stage files in a central location prior to exfiltration.(Citation: Malwarebytes Kimsuky June 2021)
Enterprise	T1070	.004	Indicator Removal: File Deletion	AppleSeed can delete files from a compromised host after they are exfiltrated.(Citation: Malwarebytes Kimsuky June 2021)
Enterprise	T1056	.001	Input Capture: Keylogging	AppleSeed can use `GetKeyState` and `GetKeyboardState` to capture keystrokes on the victim’s machine.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.(Citation: Malwarebytes Kimsuky June 2021)
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	AppleSeed has used UPX packers for its payload DLL.(Citation: Malwarebytes Kimsuky June 2021)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	AppleSeed has been distributed to victims through malicious e-mail attachments.(Citation: Malwarebytes Kimsuky June 2021)
Enterprise	T1218	.010	System Binary Proxy Execution: Regsvr32	AppleSeed can call regsvr32.exe for execution.(Citation: Malwarebytes Kimsuky June 2021)
Enterprise	T1204	.002	User Execution: Malicious File	AppleSeed can achieve execution through users running malicious file attachments distributed via email.(Citation: Malwarebytes Kimsuky June 2021)

ID	Name	References
Groups That Use This Software
G0094	Kimsuky	(Citation: Malwarebytes Kimsuky June 2021) (Citation: KISA Operation Muzabi)

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

AppleSeed

Techniques Used

Groups That Use This Software

References