SuperBear Trojan Deployed Against South Korean Targets

A recent phishing attack, possibly aimed at civil society organizations in South Korea, has uncovered an innovative remote access trojan called SuperBear. The breach specifically targeted an unnamed activist who, in late August 2023, received a malicious LNK file from an address pretending to be a member of the non-profit organization Interlabs, according to a new report by Interlabs.

SuperBear Uses Multi-Stage Chain of Attack

Upon execution, the LNK file triggers a PowerShell command to run a Visual Basic script, which then retrieves subsequent-stage payloads from a legitimate but compromised WordPress website. This payload includes the Autoit3.exe binary (referred to as "solmir.pdb") and an AutoIt script ("solmir_1.pdb") that is executed using the former.

The AutoIt script, in turn, employs a process injection technique known as process hollowing, where malicious code is inserted into a suspended process. In this instance, it creates an instance of Explorer.exe to inject an unknown RAT, named SuperBear, which establishes communication with a remote server for data exfiltration, downloading and executing additional shell commands, and dynamic-link libraries (DLLs).

Interlab researcher Ovi Liber explained, "The C2 server's default action seems to instruct clients to exfiltrate and process system data," adding that the malware earns its name because "the malicious DLL will attempt to generate a random filename for itself, and if it fails, it will be named 'SuperBear.'"

The attack is tentatively attributed to a North Korean nation-state actor known as Kimsuky (also referred to as APT43 or by aliases such as Emerald Sleet, Nickel Kimball, and Velvet Chollima), as it bears similarities to the initial attack vector and the PowerShell commands used.

Earlier this year in February, Interlab disclosed that North Korean nation-state actors targeted a South Korean journalist with Android malware called RambleOn as part of a social engineering campaign.