AlphaSeed

The group primarily uses spear-phishing attacks to distribute malware and attempt to take over accounts to harvest data.

HappyDoor in this case is also being distributed via an email attachment just like the previous method of distribution. This attachment file contains a compressed file, and the latter carries a JScript or a dropper (executable file). Once that is run, HappyDoor is created and executed along with normal bait files.

The discovered JSE file drops two additional pieces of malware encoded in Base64 and executes them through PowerShell commands.

An EXE file disguised as the SGA Solutions installer drops and executes information-stealing malware.

It replicates and loads itself into the following path and registers for auto-execution through the registry to maintain persistence.

It replicates and loads itself into the following path and registers for auto-execution through the registry to maintain persistence.

The malware is packed with VMProtector.

Loads malicious DLL through regsvr32.exe.

AlphaSeed captures keystroke information from the infected system.

Specifically steals cookie information from Chromium and Firefox-based browsers on the system.

Uses the systeminfo command to gather system information.

Steals specific files located on the C drive, including SSH and FileZilla data.

AlphaSeed captures keystroke information from the infected system.

Takes screenshots of the infected system’s desktop and saves them as files for theft.

Compresses and encrypts the folder containing the stolen information before exfiltrating it to the C&C server.

AlphaSeed receives commands and transmits stolen information via Naver Mail.