New SuperBear Trojan Targets South Korean Activists

Diving into details

• When the LNK file is executed, it triggers a PowerShell command to run a Visual Basic script. This script, in turn, retrieves the next-stage payloads from a legitimate but compromised WordPress website. These payloads consist of the Autoit3.exe binary and an AutoIt script.
• The AutoIt script plays a crucial role by employing the process hollowing technique, wherein malicious code is inserted into a process that is temporarily suspended. 
• In this case, an instance of Explorer.exe is spawned to inject the SuperBear RAT. It establishes communication with a remote server to carry out various actions such as data exfiltration, downloading and executing additional shell commands, and loading dynamic-link libraries (DLLs). 

Attribution

• Based on similarities observed in the initial attack vector and the presence of code correlations across multiple campaigns that have been monitored, there is a loose attribution of this campaign to the Kimsuky threat group.
• However, there is no clear indication of shared infrastructure between this campaign and known Kimsuky clusters. 
• In addition, the use of AutoIT for process hollowing in this campaign is noteworthy. The AutoIT script appears to be a modified version sourced from various online forums. 
• This aligns with a distinctive feature of Kimsuky's operations, as it has been known to adapt and utilize open-source tools in its activities.

The bottom line