BabyShark Malware Targeting Nuclear and Cryptocurrency Industries
In 2018 Palo Alto Networks’ Unit 42 researchers announced that they have identified a spear phishing campaign that is targeting U.S. National security think tanks and academic institutions. Research indicates that the “threat actor might have interests in gathering intelligence related to not only North Korea but possibly wider in the Northeast Asia region.”
According to Unit 42, the spear phishing emails contain malware called BabyShark that “shares infrastructure with playbooks associated with North Korean campaigns.”
However, as reported in cyware the activities of the malware has expanded and it is being used for other malicious purposes.
What’s the matter – According to researchers the operators of BabyShark malware are now targeting cryptocurrency industries with an intent to make some profit.
The recent activities of the malware observed from March 2019 to April 2019 include:
- Espionage on nuclear security and the Korean peninsula’s national security issues;
- Financial gain by infiltrating cryptocurrency industries
In addition to this, the malware has been found using two other malware as secondary payloads. They malware used as secondary payloads – KinJongRAT and PCRat – are referred to as ‘Cowboys’.
How is it done – The attackers are using spear phishing or watering hole attacks to target users. In the case of spear phishing, a malicious link is sent attached within an email. Whereas, in the watering hole attack, the victims are redirected to a malicious go Microsoft link.
Once the BabyShark malware is launched, the malware unleashes its multi-stage infection chain by performing checks between each stage. This ensures only targeted hosts are advanced to the next stage before it finally beacons back to the attackers.
“This is done by maintaining a list of blacklisted IP addresses and computer names for those who have made suspicious access attempts, such as access with invalid parameters, to the server as a possible technique meant to make analysis harder. The IP addresses and computer names in the blacklist are written in base64 encoded format at [BASE_URI]/blackip.txt,” researchers explained in a blog post.
About the Cowboys – The secondary payloads are delivered as:
- EXE loader
- DLL loader
One encoded payload
“The functionality of the EXE and DLL loaders is the same: the only difference is the file type. These loaders are later run upon receiving an execution command: ‘execute’ to invoke the EXE type loader or ‘power com’ to launch the DLL type loader. We theorize the reason for having two different type loaders is to have redundancy for loading the payload in case of anti-virus software’s disruption. Either loader will load the custom encoded secondary payload, the Cowboy, in memory, decode it, and execute it,” the researchers said.
The information that the KimJongRAT steals from victim machines includes email credentials from Microsoft Outlook and Mozilla Thunderbird. The malware also pilfers system’s OS version along with login credentials for Google Facebook and Yahoo.
PCRat is a variant of the Gh0stRAT malware family. It is a remote administration trojan whose source code is openly available on the internet.
The bottom line – The malware’s evolving activities show that the malware author has made certain efforts to expand its operations to target the cryptocurrency industries. The threat actors are also leveraging other commodity and custom developed tools in this campaign.
Julia Sowells946 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.