Novel RAT discovered “SuperBear” targeting journalist covering geopolitics of Asia
Contents
01 Sep Novel RAT discovered “SuperBear” targeting journalist covering geopolitics of Asia
Analysis of novel RAT discovered dubbed “SuperBear”. The RAT has been found targeting journalist and deployed using open-source AutoIT scripts.
Author : Ovi Liber
Executive Summary
On 8/28/2023, Interlab received a sample sent to a journalist with highly targeted content luring the recipient to open the document. The journalist received an email from an activist who was contacted by an address impersonating a member of the organisation with a malicious document. The document was in .LNK form, and upon execution loaded a malicious powershell command and a legitimate DOCX related to the organization.
After analysis, Interlab discovered that after initial compromise, the execution of an AutoIT script that was used to perform process injection using a process hollowing technique. The injected process contained a novel RAT, which we dubbed “SuperBear” due to naming conventions in the code. We believe this to be a …
Analysis of novel RAT discovered dubbed “SuperBear”. The RAT has been found targeting journalist and deployed using open-source AutoIT scripts.
Author : Ovi Liber
Executive Summary
On 8/28/2023, Interlab received a sample sent to a journalist with highly targeted content luring the recipient to open the document. The journalist received an email from an activist who was contacted by an address impersonating a member of the organisation with a malicious document. The document was in .LNK form, and upon execution loaded a malicious powershell command and a legitimate DOCX related to the organization.
After analysis, Interlab discovered that after initial compromise, the execution of an AutoIT script that was used to perform process injection using a process hollowing technique. The injected process contained a novel RAT, which we dubbed “SuperBear” due to naming conventions in the code. We believe this to be a …
IoC
282e926eb90960a8a807dd0b9e8668e39b38e6961b0023b09f8b56d287ae11cb
454cfe3be695d0a387d7877c11d3b224b3e2c7d22fc2f31f349b5c23799967ec
5305b8969b33549b6bd4b68a3f9a2db1e3b21c5497a5d82cec9beaeca007630e
614dda72d95b5dfd732916aec0662598
89.117.139.230
http://89.117.139.230
http://hironchk.com
454cfe3be695d0a387d7877c11d3b224b3e2c7d22fc2f31f349b5c23799967ec
5305b8969b33549b6bd4b68a3f9a2db1e3b21c5497a5d82cec9beaeca007630e
614dda72d95b5dfd732916aec0662598
89.117.139.230
http://89.117.139.230
http://hironchk.com