Last February 2019, Security researchers identified several spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S.
The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which were dubbed, “BabyShark”.
BabyShark is a relatively new malware. The earliest sample was found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator.
The threat actor behind the BabyShark malware family has expanded its operations beyond conducting espionage to also targeting the cryptocurrency industry. Security researchers also discovered decoy documents related to xCryptoCrash, an online gambling game that show the attackers are now also targeting the cryptocurrency industry.
The researchers analyzed samples found on an attacker-controlled server, including the initial malware used to launch the attacks as well as two other files, KimJongRAT and PCRat, which BabyShark installs on victim machines. The malware authors internally referred to those two files as “cowboys.”
KimJongRAT appears to be used to steal email credentials from Microsoft Outlook and Mozilla Thunderbird as well as login credentials for Google, Facebook and Yahoo accounts stored in widely used browsers. That data is then sent to the attackers’ control server using other malware, such as BabyShark and PCRat.
The original emails used months ago targeted the think tank where the nuclear security expert works as well as a U.S. university that was the venue for a conference on North Korea denuclearization.
The researchers have shared technical data from its analysis, including indicators of compromise that defenders can use to protect against BabyShark, through the Cyber Threat Alliance and other organizations. Several security firms have also taken steps to defend its customers from BabyShark by implementing patches and other additional security measures.