HQ/EMEAFind out how we can help your business
A new cybercriminal campaign uses the SuperBear trojan to infect civil society in South Korea, especially the activists. Reports show that they spread through a new phishing operation containing the trojan.
The discovery of the operation is from an undisclosed activist who received a malicious LNK file from an address that impersonated a member of the organisation last month. The spoofed organisation is a non-profit entity in South Korea.
The SuperBear trojan uses a phishing campaign that executes a PowerShell command.
The SuperBear trojan is spread from a phishing campaign that distributes an LNK file. These files launch a PowerShell command to operate a Visual Basic Script (VBS) that retrieves the next-stage payloads from a legitimate but infected WordPress website.
The recovered payloads include an Autolt script and Autoit3[.]exe binary launched to generate an attack chain.
The Autolt script executes process injection through a process hollowing tactic, in which the threat operators insert malicious code into a process that is in a dormant status.
These methods will spawn an instance of Explorer[.]exe to inject a novel remote access trojan called SuperBear. The trojan could communicate with a remote server to exfiltrate data and download and operate additional shell commands and dynamic-link libraries.
The researchers stated that the default action for the command-and-control server of the campaign appears to command clients to exfiltrate and process system information. They also noted that the malware is named SuperBear since the malicious DLL will try to generate a random filename for it, and if it cannot call it with a random name, it will be named SuperBear instead.
Threat analysts claimed the attack could have originated from a North Korean state-sponsored group. The leading culprit for this campaign is Kimsuky, aka APT43, since it overlaps with the new campaign’s initial attack vector and the PowerShell commands.
This incident is the newest attack of North Korean state-sponsored threat groups against South Korean entities. Earlier this year, South Korean journalists were also the subject of an attack that deployed the RambleOn malware through social engineering tactics.
South Korean entities will always be a target for these hackers since they have a history of conflict with North Korea. Therefore, these entities should increase the strength of their cybersecurity to mitigate or prevent incoming attacks from North Korean threat groups.
