Two sentences summarizing the article: ASEC reports that the Kimsuky threat group weaponizes Chrome Remote Desktop along with AppleSeed and other remote-access tools to take control of infected machines. The campaign centers on spearphishing with disguised document attachments and a suite of backdoors (AppleSeed, Infostealer, Ngrok, RDP Patcher, Chrome Remote Desktop) to maintain access and enable remote operations.
Read more: https://asec.ahnlab.com/en/55145/
Read more: https://asec.ahnlab.com/en/55145/
Keypoints
- The Kimsuky APT group is using Chrome Remote Desktop alongside AppleSeed and other remote-control tools (e.g., Meterpreter, VNC, RDP Wrapper) to gain and maintain control of infected systems.
- Spear-phishing is used to deliver malware, often disguised in HWP, MS Office, or CHM attachments, prompting users to open regular-looking documents.
- AppleSeed is a backdoor with HTTP C2, capable of installing additional malware, and is launched via regsvr32 with specific arguments.
- Infostealer components extracted from AppleSeed target credentials stored by Chrome, Edge, and Naver Whale in dedicated ProgramData paths.
- RDP Patcher is used to bypass single-RDP-session restrictions by patching the Remote Desktop Service, with detailed patterns across Windows versions.
- Ngrok is employed as a tunneling tool to expose NAT-restricted hosts for remote access, including remote-install commands inside AppleSeed.
- Chrome Remote Desktop is set up as another remote-control channel, with host installation commands and PIN-based access.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – Users receive spear phishing emails with attachments that masquerade as regular documents to install malware. Quote: “Users who receive spear phishing emails with these malware attachments can open these thinking these are regular document files…”
- [T1059] Command and Scripting Interpreter – The group uses script-type malware and commands (WSF/JS, PowerShell) to execute or decode payloads. Quote: “WSF or JS scripts with files disguised with document file extensions were mostly used in the AppleSeed distribution process.”
- [T1059.001] PowerShell – PowerShell commands are used to decode files during the Dropper execution. Quote: “PowerShell commands to decode files.”
- [T1059.007] JavaScript – JavaScript used as script-type droppers (WSF/JS) for AppleSeed distribution. Quote: “WSF or JS scripts with files disguised with document file extensions were mostly used in the AppleSeed distribution process.”
- [T1218.011] Signed Binary Proxy Execution: Regsvr32 – regsvr32.exe is used to load and execute AppleSeed with specific arguments. Quote: “regsvr32.exe /s /n /i:123qweASDZXC C:Windows..ProgramDatao5C2anK.efgL”
- [T1105] Ingress Tool Transfer – The attacker downloads and installs tools like Ngrok and other payloads via commands issued to AppleSeed. Quote: “Ngrok is installed to enable remote control…”
- [T1021] Remote Services – The actors rely on remote-access services (Chrome Remote Desktop, RDP Wrapper, VNC) to control infected systems. Quote: “The Kimsuky APT group tends to use remote desktop services to obtain control over infected systems.”
- [T1572] Protocol Tunneling – Ngrok tunnels are used to reach remote hosts outside NAT. Quote: “Ngrok has been identified in multiple actual detected cases of attacks.”
- [T1555.003] Credentials from Web Browsers – Infostealer steals credentials from web browsers (Chrome, Edge, Whale) and stores them in local paths. Quote: “Target Web Browsers for Account Credential Theft” and “Path Where Account Credentials Are Stored”.
- [T1071.001] Web Protocols – AppleSeed communicates with its C2 over HTTP. Quote: “HTTP protocol for communication with the C&C server.”
Indicators of Compromise
- [Domain] C2 domains used by AppleSeed and related tools: getara1.mygamesonline.org, pikaros2.r-e.kr. Context: C2 endpoints used by AppleSeed/EastSoftUpdate.
- [Domain] Ngrok-related download or tunnel endpoints: bigfile.mail.naver.com (Ngrok delivery) and related hosting domains. Context: Ngrok installation/download vectors.
- [Domain] Download and distribution hosts: (NAVG) bigfile.mail.naver.com and dl.google.com domains used for hosting Chrome Remote Desktop components. Context: Tools delivery and hosting.
- [MD5] 80f381a20d466e7a02ea37592a26b0b8 – AppleSeed (AdobeService.dll); b6d11017e02e7d569cfe203eda25f3aa – AppleSeed (EastSoftUpdate.dll); d2eb306ee0d7dabfe43610e0831bef49 – InfoStealer; d6a38ffdbac241d69674fb142a420740 – RDP Patcher; 946e1e0d2e0d7785d2e2bcd3634bcd2a – Chrome Remote Desktop launcher (23.bat)
- [File] AdobeService.dll, EastSoftUpdate.dll, svchost.exe, 23.bat, remoting_start_host.exe – Context: Files involved in the AppleSeed, Ngrok, and Chrome Remote Desktop deployment chains.
- [Path] C:ProgramDataAdobeServiceAdobeService.dll and similar – Context: Credentials storage paths used by the Infostealer for stolen browser data.
Read more: https://asec.ahnlab.com/en/55145/