BabyShark Remote Access Trojan

BabyShark is a new remote access trojan first seen in November 2018 targeting government organisations. It shares infrastructure associated with previous KimJongRAT and STOLEN PENCIL campaigns.

BabyShark is distributed via targeted email campaigns as a malicious attachment. When opened, the attachment connects to and executes an HTA file from a remote location. This application then makes a series of HTTP GET requests to another location to decode and execute the main BabyShark script.

Once successfully established, BabyShark makes changes to the user’s registry settings to disable future macro warnings and maintain persistence, before executing a series of Windows commands to collect information about the infected system. This information is then encoded and uploaded to a command and control (C2) server. BabyShark has the functionality to perform other commands provided to it from the C2 server, although at the time of publication no other commands have been observed.

Indicators of Compromise

URLs

  • tdalpacafarm[.]com/files/kr/contents/Vkggy0.hta
  • tdalpacafarm[.]com/files/kr/contents/upload.php
  • tdalpacafarm[.]com/files/kr/contents/Usoro.hta

Filenames

  • Oct_Bld_full_view.docm

SHA256 File Hashes

  • 7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa
  • 9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8
  • 2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e
  • 66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2
  • 8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6
  • 331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7
  • 1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0
  • dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a
  • 94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0
  • 6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: