New SuperBear trojan emerges in targeted phishing attacks

SISA Weekly Threat Watch - 11 September 2023

In a world increasingly reliant on digital technologies, the threat landscape continues to evolve. From cybercriminals targeting exposed Microsoft SQL databases to an increase in targeted social engineering attacks, and the emergence of sophisticated hacking groups, the need for heightened cybersecurity measures is more evident than ever. As cyber threats become more frequent and advanced, it is critical to stay educated and employ strong security measures.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Exposed Microsoft SQL databases targeted to deploy FreeWorld ransomware

Microsoft SQL (MSSQL) servers with weak security have grown to be a preferred target for many attacker gangs, including ransomware gangs. The typical attack sequence for a recent campaign started with brute forcing access into the exposed MSSQL databases, using it to enumerate the database and utilizing the xp_cmdshell configuration option to run shell commands and conduct reconnaissance.

After initial infiltration, the attackers expand their foothold inside the target system and launch a number of different payloads using MSSQL as a beachhead, including remote-access Trojans (RATs) and a new Mimic ransomware variant called “FreeWorld.” The attackers also set up a remote SMB share to mount a directory containing their tools, such as a Cobalt Strike command-and-control agent (srv.exe) and AnyDesk. They also use Mimikatz and a network port scanner to move laterally within the network and dump credentials. It is critical to have unique and complex passwords for MSSQL databases exposed to the internet. It is also advised to use VPN tunnels, when possible, to access MSSQL servers instead of exposing them directly to the internet.

2. Social engineering attacks targeting Super Administrator Privileges: Okta warns

In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users. The adversary then moved to abuse the highly privileged Okta Super Administrator accounts to impersonate users within the compromised organization. The commercial phishing kit 0ktapus, which provides pre-made templates to generate convincing false login portals and ultimately steal credentials and multi-factor authentication (MFA) codes, is at the central to the attacks.

In the latest set of attacks, the threat actors are said to be already in possession of passwords belonging to privileged user accounts or “be able to manipulate the delegated authentication flow via Active Directory (AD)” before calling the IT help desk of the targeted company to request a reset of all MFA factors associated with the account. End users, especially with admin rights, must always double-check the URL of a website where they share their login credentials to ensure maximum security. It is also recommended to enforce phishing-resistant authentication and strengthen help desk identity verification processes to prevent such attacks.

3. Earth Estries targets government and tech sectors across multiple countries

The Earth Estries hacking group is behind an active cyberespionage campaign targeting government and IT organizations in various countries. The campaign employs a wide range of malicious tools like backdoors, information stealers, and port scanners. The methods overlap with those used by another hacker group, FamousSparrow. The group initially gains access via DLL sideloading attacks, compromising accounts with administrative privileges to infect internal servers.

Following the initial compromise, Earth Estries deploys a Cobalt Strike beacon, a commercial penetration testing tool repurposed for malicious activity. This beacon enables the hackers to distribute additional malware and move laterally within the victim’s network. To stay protected from such attacks, it is recommended to limit administrative privileges, implement strong password policies, and isolate critical servers and resources from the broader network. Additionally, use the MITRE ATT&CK framework to understand the tactics, techniques, and procedures (TTPs) used by Earth Estries and prepare appropriate defenses.

4. New SuperBear Trojan emerges in targeted phishing attack on South Korean activists

A new remote access trojan (RAT) called SuperBear has been discovered in a targeted phishing attack against civil society groups and activists in South Korea. The attack begins with a phishing email sent to the target, disguised to come from a known contact within the activist’s organization. Once the email is opened, the victim is induced to execute a malicious LNK file attached to it. Upon execution, this LNK file triggers a PowerShell command, which in turn runs a Visual Basic script. This script is designed to fetch additional payloads from a compromised WordPress website.

The next part of the attack involves an AutoIt script, launched via an Autoit3.exe binary file named “solmir.pdb.” This script employs a technique known as process hollowing, in which malicious code is injected into a running process that has been temporarily suspended. Specifically, an instance of Explorer.exe is spawned and suspended, into which the SuperBear RAT is then injected. Once activated, the RAT establishes a secure connection to a Command and Control (C2) server to exfiltrate sensitive data from the compromised system and download and execute additional DLLs. Organizations need to take immediate steps to bolster their security posture. This includes educating staff, implementing strong security mechanisms, and being prepared for incident response.

5. New SideTwist backdoor and Agent Tesla variant unleashed via phishing campaigns

The Iranian threat actor APT34, known by various aliases has been linked to a new phishing campaign deploying a variant of the SideTwist backdoor. This campaign involves a bait Microsoft Word document with a malicious macro that delivers the SideTwist payload, establishing communication with a remote server. Additionally, a new Agent Tesla variant has been discovered in a separate phishing campaign that exploits an old Microsoft Office vulnerability (CVE-2017-11882), collecting sensitive information from victims.

APT34 is known for its sophisticated cyber espionage activities, primarily targeting sectors such as telecommunications, government, defense, oil, and financial services in the Middle East. Agent Tesla is a notorious information-stealing malware that collects sensitive data from victim devices, including saved credentials, keylogging information, and screenshots. Beyond the APT34 and Agent Tesla campaigns, there have been reports of phishing attacks employing ISO image file lures to launch malware strains such as Agent Tesla, LimeRAT, and Remcos RAT on compromised hosts. Organizations are advised to prioritize security measures such as awareness, software updates, email filtering, and endpoint protection to defend against these evolving threats.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider