Skip to content

S0622 AppleSeed

AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.1

Item Value
ID S0622
Associated Names
Version 1.1
Created 10 June 2021
Last Modified 15 March 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation AppleSeed can gain system level privilege by passing SeDebugPrivilege to the AdjustTokenPrivilege API.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols AppleSeed has the ability to communicate with C2 over HTTP.12
enterprise T1560 Archive Collected Data AppleSeed has compressed collected data before exfiltration.2
enterprise T1560.001 Archive via Utility AppleSeed can zip and encrypt data collected on a target system.1
enterprise T1119 Automated Collection AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder AppleSeed has the ability to create the Registry key name EstsoftAutoUpdate at HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce to establish persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell AppleSeed has the ability to execute its payload via PowerShell.1
enterprise T1059.007 JavaScript AppleSeed has the ability to use JavaScript to execute PowerShell.1
enterprise T1005 Data from Local System AppleSeed can collect data on a compromised host.12
enterprise T1025 Data from Removable Media AppleSeed can find and collect data from removable media devices.12
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging AppleSeed can stage files in a central location prior to exfiltration.1
enterprise T1030 Data Transfer Size Limits AppleSeed has divided files if the size is 0x1000000 bytes or more.2
enterprise T1140 Deobfuscate/Decode Files or Information AppleSeed can decode its payload prior to execution.1
enterprise T1041 Exfiltration Over C2 Channel AppleSeed can exfiltrate files via the C2 channel.1
enterprise T1567 Exfiltration Over Web Service AppleSeed has exfiltrated files using web services.2
enterprise T1008 Fallback Channels AppleSeed can use a second channel for C2 when the primary channel is in upload mode.1
enterprise T1083 File and Directory Discovery AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion AppleSeed can delete files from a compromised host after they are exfiltrated.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging AppleSeed can use GetKeyState and GetKeyboardState to capture keystrokes on the victim’s machine.12
enterprise T1036 Masquerading AppleSeed can disguise JavaScript files as PDFs.1
enterprise T1036.005 Match Legitimate Name or Location AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.1
enterprise T1106 Native API AppleSeed has the ability to use multiple dynamically resolved API calls.1
enterprise T1027 Obfuscated Files or Information AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls.1
enterprise T1027.002 Software Packing AppleSeed has used UPX packers for its payload DLL.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment AppleSeed has been distributed to victims through malicious e-mail attachments.1
enterprise T1057 Process Discovery AppleSeed can enumerate the current process on a compromised host.1
enterprise T1113 Screen Capture AppleSeed can take screenshots on a compromised host by calling a series of APIs.12
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 AppleSeed can call regsvr32.exe for execution.1
enterprise T1082 System Information Discovery AppleSeed can identify the OS version of a targeted system.1
enterprise T1016 System Network Configuration Discovery AppleSeed can identify the IP of a targeted system.1
enterprise T1124 System Time Discovery AppleSeed can pull a timestamp from the victim’s machine.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File AppleSeed can achieve execution through users running malicious file attachments distributed via email.1

Groups That Use This Software

ID Name References
G0094 Kimsuky 12