FISA

A new phishing attack likely targeting civil society groups in South Korea has led to the discovery of a novel remote access trojan called  SuperBear . The intrusion singled out an unnamed activist, who was contacted in late August 2023 and received a malicious LNK file from an address impersonating a member of the organization, non-profit entity Interlabs said in a new report. The LNK file, upon execution, launches a PowerShell command to execute a Visual Basic script that, in turn, fetches the next-stage payloads from a legitimate but compromised WordPress website. This includes the Autoit3.exe binary ("solmir.pdb") and an AutoIt script ("solmir_1.pdb") that's launched using the former. The AutoIt script, for its part, performs process injection using a  process hollowing technique , in which malicious code is inserted into a process that's in a suspended state. In this case, an instance of Explorer.exe is spawned to inject a never-before-seen RAT referred...