A new phishing attack, likely aimed at civil society groups in South Korea, has revealed a new RAT called SuperBear. According to a recent report from Interlabs, this intrusion targeted an unidentified activist in late August, who received a harmful .LNK file from an email address pretending to be a member of their organization.

Diving into details

  • When the LNK file is executed, it triggers a PowerShell command to run a Visual Basic script. This script, in turn, retrieves the next-stage payloads from a legitimate but compromised WordPress website. These payloads consist of the Autoit3.exe binary and an AutoIt script.
  • The AutoIt script plays a crucial role by employing the process hollowing technique, wherein malicious code is inserted into a process that is temporarily suspended. 
  • In this case, an instance of Explorer.exe is spawned to inject the SuperBear RAT. It establishes communication with a remote server to carry out various actions such as data exfiltration, downloading and executing additional shell commands, and loading dynamic-link libraries (DLLs). 

Attribution

  • Based on similarities observed in the initial attack vector and the presence of code correlations across multiple campaigns that have been monitored, there is a loose attribution of this campaign to the Kimsuky threat group.
  • However, there is no clear indication of shared infrastructure between this campaign and known Kimsuky clusters. 
  • In addition, the use of AutoIT for process hollowing in this campaign is noteworthy. The AutoIT script appears to be a modified version sourced from various online forums. 
  • This aligns with a distinctive feature of Kimsuky's operations, as it has been known to adapt and utilize open-source tools in its activities.

The bottom line

The researchers have provided the IOCs to defend against this threat. Organizations should prioritize email security, implement robust endpoint protection, and educate employees about phishing risks. Additionally, ongoing monitoring and threat intelligence sharing are essential for staying ahead of evolving cyber threats.
Cyware Publisher

Publisher

Cyware