A new phishing attack probable focusing on civil modern society groups in South Korea has led to the discovery of a novel distant access trojan identified as SuperBear.
The intrusion singled out an unnamed activist, who was contacted in late August 2023 and been given a malicious LNK file from an tackle impersonating a member of the business, non-gain entity Interlabs mentioned in a new report.
The LNK file, on execution, launches a PowerShell command to execute a Visible Essential script that, in switch, fetches the following-stage payloads from a reputable but compromised WordPress web site.
This incorporates the Autoit3.exe binary (“solmir.pdb”) and an AutoIt script (“solmir_1.pdb”) which is introduced making use of the former.
The AutoIt script, for its portion, performs procedure injection working with a approach hollowing strategy, in which destructive code is inserted into a system that’s in a suspended point out.
In this circumstance, an instance of Explorer.exe is spawned to inject a by no means-just before-found RAT referred to as SuperBear that establishes communications with a remote server to exfiltrate facts, obtain and operate added shell commands and dynamic-url libraries (DDLs).
“The default action for the C2 server appears to instruct clients to exfiltrate and approach method data,” Interlab researcher Ovi Liber reported, noting that the malware is so named simply because “the destructive DLL will test to create a random filename for it, and if it won’t be able to it will be named ‘SuperBear.'”
The attack has been loosely pinned on a North Korean country-condition actor named Kimsuky (aka APT43 or Emerald Sleet, Nickel Kimball, and Velvet Chollima), citing similarities with the initial attack vector and the PowerShell commands utilized.
Previously this February, Interlab also uncovered that North Korean country-state actors focused a journalist in South Korea with Android malware dubbed RambleOn as aspect of a social engineering campaign.
Located this article attention-grabbing? Stick to us on Twitter and LinkedIn to examine more distinctive information we write-up.
Some parts of this article are sourced from:
thehackernews.com