AppleSeed

Appleseed is a sophisticated malware, believed to be affiliated with North Korean nation-state actors, that has been used in various cyber attacks. The malware uses a two-layer command structure to communicate with its command and control server, making it particularly effective at seizing control of compromised machines. It has been linked to other notable malwares such as BabyShark, and is typically delivered through spear-phishing attacks. Its deployment has been observed in several campaigns against South Korea's government, where the attackers reused infrastructure previously used to host phishing websites for AppleSeed backdoor Command & Control communications. The AppleSeed backdoor was first discovered in October 2022. In one of its most notorious uses, it was developed for an attack on behalf of charity Appleseed México. Lawyers in the Mexico City office filed an amparo, a request for constitutional protection, with the Mexican Supreme Court, arguing that Appleseed México represented the collective rights of individuals affected by the rule. This incident highlights the malware's potential for misuse and the significant threat it poses to organizations and governments. The technical execution of the AppleSeed payload involves the opening of a decoy PDF file by calling Wscript.Shell.Run, followed by the execution of the AppleSeed payload through PowerShell by calling regsvr32.exe. The content of the decoy PDF file and the AppleSeed payload are both encoded in Base64 format, with the latter being encoded twice. The Nocturnus team, responsible for tracking down the malware's infrastructure, commended individual Paul Hughes for his role in uncovering these details.