The payload delivery website is a compromised wordpress instance of a legitimate website. For this reason, we have redacted it from the report and reached out to the owner to inform them of the compromise.
As you can see, the command is pulling two payloads from the domain. These two payloads are:
1. AutoIT3 executable with filename “solmir.pdb” renamed to Autoit3.exe – this is an open-source technology (https://www.autoitscript.com/site/autoit/)
2. A compiled and packed AutoIT3 script called with the filename “solmir_1.pdb” which is renamed to “MTdYFp.au3”
Once the executable and compiled script are downloaded, AutoIT3 is executed with a parameter of the compiled script. The script is then executed and performs a process injection operation.
AutoIT process injection using process hollowing
The AutoIT script performs a typical process hollowing operation by calling native Windows API calls. It first calls “CreateProcess” to spawn an instance of Explorer.exe which includes a suspend process flag. The suspended process is then unmapped using “NtUnmapViewOfSection” before being written with the malicious code. It is then resumed via “VirtualAllocEx”, “WriteProcessMemory”, “SetThreatContext” and then “ResumeThread”.
It should be noted that we have provided some additional context on the bottom of this article of the threat actors utilization of AutoIT.
The malicious code in this malware campaign appeared to be a novel remote access trojan which we dubbed SuperBear RAT. This variant of SuperBear RAT established a connection to a C2 server located at:
IP Address: 89[.]117[.]139[.]230
Domain: hironchk[.]com
The RAT performs one of 3 primary attack operations:
1. Exfiltrate process and system data
2. Download and execute a shell command
3. Download and run a DLL
The default action for the C2 server appears to instruct clients to exfiltrate and process system data. This is often typical of attack campaigns distributed by this group, as they are careful about reconnaissance, an example of this can be seen below. The threat actors can also instruct the RAT to execute shell commands or download a malicious DLL onto the infected machine. The malicious DLL will try to create a random filename for it, and if it can’t it will be named “SuperBear”.
Interlab threat researcher Ovi, has documented a full technical report of SuperBear RAT on the authoring threat researchers blog here.
Additional context on attribution & surrounding open-source usage
Based on similarities within initial attack vector and correlations with code across multiple campaigns we have tracked, we have a lose attribution for this campaign to Kimsuky. It should be noted that so far we have no indication of infrastructure overlaps with Kimsuky clusters hence why we only suspect this at this time. In addition to this, we see a strong overlap with commands utilized in a recent campaign detailed here (https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247493300&idx=1&sn=614dda72d95b5dfd732916aec0662598&cur_album_id=1915287066892959748#rd) which indicate like for like Powershell commands during initial access. We invite industry to contribute on this.
The AutoIT utilization found in this campaign used for process hollowing, was found to be a modified script taken from various forums:
– https://www.autoitscript.com/forum/topic/99412-run-binary/page/8/
– https://syra.forumcommunity.net/?t=55181142
– https://autoit-script.ru/threads/peredacha-parametrov-komandnoj-stroki.24834/
This is an interesting and notable feature of operations ran by Kimsuky. This is a novel attack vector that we have seen. Kimsuky have been notably using open-source tooling in the past, such as utilizing malware’s such Quasar RAT. There have been multiple reports of other North Korean threat groups adopting open-source tooling in recent operations (https://blog.talosintelligence.com/lazarus-collectionrat/).
With regard to SuperBear RAT. We base our analysis of this as novel due to not matching signatures of data found in the RAT itself. We have yet to find a similar sample in retro hunting, though this is subject to change. We invite additional research from other civil society groups & industry.
UPDATE 9/18/2023: We are now aware that the foundational code from this RAT has been taken from this open-source loader framework called Chimera Loader. We notice key features of the RAT that are different from Chimera Loader that allow SuperBear to act as a RAT which exfiltrates information. We hope to perform further analysis on this in the future.
IOCs
Context | Filename | Hash |
AutoIT script | solmir_1.pdb | 5305b8969b33549b6bd4b68a3f9a2db1e3b21c5497a5d82cec9beaeca007630e |
SuperBear RAT (dumped PE) | 4000.explorer.exe | 282e926eb90960a8a807dd0b9e8668e39b38e6961b0023b09f8b56d287ae11cb |
C2 IP | N/A | 89[.]117[.]139[.]230 |
C2 Domain | N/A | hironchk[.]com |
Source: https://interlab.or.kr/archives/19416
Views: 1