1. Home
  2. Software
  3. BabyShark

BabyShark

BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. [1]

ID: S0414
Associated Software: LATEOP
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 07 October 2019
Last Modified: 06 May 2024

Associated Software Descriptions

Name Description
LATEOP

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 反混淆/解码文件或信息

BabyShark has the ability to decode downloaded files prior to execution.[3]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.[1][3]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

BabyShark has used cmd.exe to execute commands.[1]

Enterprise T1132 .001 数据编码: Standard Encoding

BabyShark has encoded data using certutil before exfiltration.[1]
Enterprise T1083 文件和目录发现

BabyShark has used dir to search for "programfiles" and "appdata".[1]

Enterprise T1012 查询注册表

BabyShark has executed the reg query command for HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default.[1]

Enterprise T1070 .004 移除指标: File Deletion

BabyShark has cleaned up all files associated with the secondary payload execution.[4]
Enterprise T1218 .005 系统二进制代理执行: Mshta

BabyShark has used mshta.exe to download and execute applications from a remote server.[3]
Enterprise T1082 系统信息发现

BabyShark has executed the ver command.[1]

Enterprise T1033 系统所有者/用户发现

BabyShark has executed the whoami command.[1]
Enterprise T1016 系统网络配置发现

BabyShark has executed the ipconfig /all command.[1]

Enterprise T1105 输入工具传输

BabyShark has downloaded additional files from the C2.[4][3]
Enterprise T1056 .001 输入捕获: Keylogging

BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.[4]
Enterprise T1057 进程发现

BabyShark has executed the tasklist command.[1]

Enterprise T1053 .005 预定任务/作业: Scheduled Task

BabyShark has used scheduled tasks to maintain persistence.[5]

Groups That Use This Software

ID Name References
G0094 Kimsuky

[3][6][5][2]

References

  1. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
  2. Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
  3. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  1. Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.
  2. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  3. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.