A new phishing attack likely targeting civil society groups in South Korea has led to the discovery of a novel remote access trojan called SuperBear.
The AutoIt script, for its part, performs process injection using a process hollowing technique, in which malicious code is inserted into a process that’s in a suspended state.
In this case, an instance of Explorer.exe is spawned to inject a never-before-seen RAT referred to as SuperBear that establishes communications with a remote server to exfiltrate data, download and run additional shell commands and dynamic-link libraries (DDLs).
The intrusion singled out an unnamed activist, who was contacted in late August 2023 and received a malicious LNK file from an address impersonating a member of the organization, non-profit entity Interlabs said in a new report.
The attack has been loosely pinned on a North Korean nation-state actor named Kimsuky (aka APT43 or Emerald Sleet, Nickel Kimball, and Velvet Chollima), citing similarities with the initial attack vector and the PowerShell commands used.
Earlier this February, Interlab also revealed that North Korean nation-state actors targeted a journalist in South Korea with Android malware dubbed RambleOn as part of a social engineering campaign.
Source: https://thehackernews.com/
