Reverse engineering SuperBear RAT
Contents
You’re probably thinking, why is it called SuperBear? Well, here’s why:
I spent some time analyzing this attack campaign that was impacting civil society groups and thought it would be a good idea to document the technical analysis for the low-level infosec consumers. You can read our high-level report of the malware campaign here on Interlab’s website.
Nethertheless I found this sample to be quite interesting since it utilized some interesting techniques. Notably, the usage of AutoIT to perform process hollowing, and then the C2 protocol itself being somewhat similar to that of commodity RATs.
AutoIT initial access
In the initial finding of the RAT disclosed on the Interlab website discusses how we found it to be deployed using an AutoIT script. I won’t go into the original maldoc or powershell commands since it’s covered in that publication. So let’s start by looking at the AutoIT script.
On inital view, I’d found that the script …
I spent some time analyzing this attack campaign that was impacting civil society groups and thought it would be a good idea to document the technical analysis for the low-level infosec consumers. You can read our high-level report of the malware campaign here on Interlab’s website.
Nethertheless I found this sample to be quite interesting since it utilized some interesting techniques. Notably, the usage of AutoIT to perform process hollowing, and then the C2 protocol itself being somewhat similar to that of commodity RATs.
AutoIT initial access
In the initial finding of the RAT disclosed on the Interlab website discusses how we found it to be deployed using an AutoIT script. I won’t go into the original maldoc or powershell commands since it’s covered in that publication. So let’s start by looking at the AutoIT script.
On inital view, I’d found that the script …
IoC
5305b8969b33549b6bd4b68a3f9a2db1e3b21c5497a5d82cec9beaeca007630e
454cfe3be695d0a387d7877c11d3b224b3e2c7d22fc2f31f349b5c23799967ec
282e926eb90960a8a807dd0b9e8668e39b38e6961b0023b09f8b56d287ae11cb
454cfe3be695d0a387d7877c11d3b224b3e2c7d22fc2f31f349b5c23799967ec
282e926eb90960a8a807dd0b9e8668e39b38e6961b0023b09f8b56d287ae11cb