AppleSeed

The group primarily uses spear-phishing attacks to distribute malware and attempt to take over accounts to harvest data.

HappyDoor in this case is also being distributed via an email attachment just like the previous method of distribution. This attachment file contains a compressed file, and the latter carries a JScript or a dropper (executable file). Once that is run, HappyDoor is created and executed along with normal bait files.

HTTPSpy is a full-featured remote access trojan that supports a wide range of capabilities to run shell commands, upload/download files, execute processes, capture screenshots, inject DLL paths into specified PID processes, and erase itself from the endpoint.

The discovered JSE file drops two additional pieces of malware encoded in Base64 and executes them through PowerShell commands.

AppleSeed has the ability to use JavaScript to execute PowerShell. APT32 has used JavaScript for drive-by downloads and C2 communications. Astaroth uses JavaScript to perform its core functionalities.

Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include AppleSeed creating 'HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce', AvosLocker executed via the RunOnce Registry key, NanoCore creating a RunOnce key, and Raspberry Robin setting a RunOnce key.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include AppleSeed creating 'HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce', AvosLocker executed via the RunOnce Registry key, NanoCore creating a RunOnce key, and Raspberry Robin setting a RunOnce key.

The malware is packed with VMProtector.

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

Akira has used legitimate names and locations for files to evade defenses.

The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.' | Several entries explicitly state files were deleted after exfiltration or upload, such as 'AppleSeed can delete files from a compromised host after they are exfiltrated,' 'Attor’s plugin deletes the collected files and log files after exfiltration,' and 'Ursnif has deleted data staged in tmp files after exfiltration.'

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

Loads malicious DLL through regsvr32.exe.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration.

enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction.

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

Uses the systeminfo command to gather system information.

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

Gathers user account information on the system by using ‘net user’

The Spy version gathers sensitive information such as documents, screenshots, keystrokes, and lists of USB drives.

Checks for installed anti-virus software on the system.

The Spy version gathers sensitive information such as documents, screenshots, keystrokes, and lists of USB drives. This also includes harvesting data from the C:\GPKI directory.

AppleSeed can find and collect data from removable media devices. APT28 backdoor may collect the entire contents of an inserted USB device. Aria-body has the ability to collect data from USB devices. BADNEWS copies files with certain extensions from USB devices to a predefined directory.

AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration.

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration... Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine... RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.

Agrius used a custom tool, sql.net4.exe, to query SQL databases and then identify and extract personally identifiable information... AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration... Ember Bear engages in mass collection from compromised systems during intrusions.

The DLL establishes persistence on the host using a scheduled task and contacts a command-and-control (C2) server to retrieve an as-yet-unknown payload.

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

The DLL establishes persistence on the host using a scheduled task and contacts a command-and-control (C2) server to retrieve an as-yet-unknown payload.

AppleSeed has divided files if the size is 0x1000000 bytes or more. APT28 has split archived exfiltration files into chunks smaller than 1MB. APT41 transfers post-exploitation files dividing the payload into fixed-size chunks to evade detection.

enhanced versions of AppleSeed, such as HappyDoor, which focuses on data exfiltration and GPKI certificate extraction.