Researchers describe a novel RAT named SuperBear used in a campaign—delivered via a compromised WordPress site—to harvest data and execute commands on victims. The operation involves AutoIT-based payloads, process hollowing, and a C2 server at 89.117.139.230 / hironchk.com, with loose attribution to Kimsuky and references to open-source tooling and Chimera Loader.
Keypoints
- Payloads are delivered from a compromised WordPress site hosting the attackers’ command and payloads.
- Two payloads are pulled: an AutoIT3 executable renamed solmir.pdb to Autoit3.exe and a compiled/packed AutoIT3 script renamed MTdYFp.au3.
- AutoIT-based process hollowing is used to inject into Explorer.exe via a suspended process, followed by unmapping and writing malicious code.
- The resulting SuperBear RAT connects to a C2 at 89.117.139.230 and the domain hironchk.com, and supports three primary actions (data exfiltration, shell command execution, DLL download/run).
- Attribution is described as loose (Kimsuky) with overlap to open-source tooling and references to other campaigns (e.g., PowerShell usage in initial access).
- Developers note that the AutoIT technique used is based on modified open-source scripts, and that the RAT appears to be a novel variant influenced by Chimera Loader.
MITRE Techniques
- [T1189] Drive-by Compromise – The payload delivery website is a compromised wordpress instance of a legitimate website. ‘The payload delivery website is a compromised wordpress instance of a legitimate website.’
- [T1105] Ingress Tool Transfer – The command is pulling two payloads from the domain: ‘1. AutoIT3 executable with filename “solmir.pdb” renamed to Autoit3.exe … 2. A compiled and packed AutoIT3 script called with the filename “solmir_1.pdb” which is renamed to “MTdYFp.au3”’
- [T1027] Obfuscated/Compressed Files and Information – The payload includes a ‘compiled and packed AutoIT3 script’
- [T1036] Masquerading – Filenames are renamed to resemble legitimate AutoIt components: ‘solmir.pdb’ -> Autoit3.exe; ‘solmir_1.pdb’ -> ‘MTdYFp.au3’
- [T1055.012] Process Hollowing – AutoIT script performs process hollowing by spawning Explorer.exe suspended, unmapping, writing malicious code, and resuming.
- [T1041] Exfiltration – The RAT can exfiltrate process and system data; default C2 instruction focuses on exfiltration and data processing.
- [T1059.001] PowerShell – Overlaps with Powershell commands used during initial access in related campaigns, per attribution notes.
Indicators of Compromise
- [Filename] AutoIT script – solmir_1.pdb, MTdYFp.au3
- [Hash] 5305b8969b33549b6bd4b68a3f9a2db1e3b21c5497a5d82cec9beaeca007630e, 282e926eb90960a8a807dd0b9e8668e39b38e6961b0023b09f8b56d287ae11cb
- [Filename] SuperBear RAT (dumped PE) – 4000.explorer.exe
- [IP Address] C2 IP – 89.117.139.230
- [Domain] C2 Domain – hironchk.com
Read more: https://interlab.or.kr/archives/19416