A new phishing attack likely targeting civil society groups in South Korea has led to the discovery of a novel remote access trojan called SuperBear.
The intrusion singled out an unnamed activist, who was contacted in late August 2023 and received a malicious LNK file from an address impersonating a member of the organization, non-profit entity Interlabs said in a new report.
The LNK file, upon execution, launches a PowerShell command to execute a Visual Basic script that, in turn, fetches the next-stage payloads from a legitimate but compromised WordPress website.
This includes the Autoit3.exe binary (“solmir.pdb”) and an AutoIt script (“solmir_1.pdb”) that’s launched using the former.
The AutoIt script, for its part, performs process injection using a process hollowing technique, in which malicious code is inserted into a process that’s in a suspended state.
In this case, an instance of Explorer.exe is spawned to inject a never-before-seen RAT referred to as SuperBear that establishes communications with a remote server to exfiltrate data, download and run additional shell commands and dynamic-link libraries (DDLs).
“The default action for the C2 server appears to instruct clients to exfiltrate and process system data,” Interlab researcher Ovi Liber said, noting that the malware is so named because “the malicious DLL will try to create a random filename for it, and if it can’t it will be named ‘SuperBear.'”
The attack has been loosely pinned on a North Korean nation-state actor named Kimsuky (aka APT43 or Emerald Sleet, Nickel Kimball, and Velvet Chollima), citing similarities with the initial attack vector and the PowerShell commands used.
Earlier this February, Interlab also revealed that North Korean nation-state actors targeted a journalist in South Korea with Android malware dubbed RambleOn as part of a social engineering campaign.