Phishing campaign attempts to spread a new brand of snooping malware

These new malware attacks are very precisely targeted with the aim of gathering information.
Written by Danny Palmer, Senior Writer

A cyber espionage campaign is targeting national security think tanks and academic institutions in the US in what's believed to be an intelligence gathering operation by a hacking group working out of North Korea.

A series of spear-phishing attacks using fake emails with malicious attachments attempts to deliver a new family of malware, which researchers at Palo Alto Networks have identified and dubbed BabyShark. The campaign started in November and remained active at least into the new year.

Among the known targets identified by researchers are an American university planning a conference around North Korea denuclearization and a research institute serving as a think tank around national security. 

The phishing emails are designed to look as if they've been sent by a security expert working as a consultant to national security thinks across the US and come with subjects referencing North Korean nuclear issues, as well as wider security subjects.

While much of the content used in the decoy emails is publicly available on the internet, such as the schedule of a real conference, the attackers also use content that doesn't appear to be public. This suggests the possibility that the campaign has already compromised a victim with access to private documents at a think tank as part of the campaign.

SEE: What is cyberwar? Everything you need to know about the frightening future of digital conflict

Like many phishing attacks, the campaign encourages users to enable macros, allowing the Microsoft Visual Basic (VB) script-based BabyShark malware to remotely initiate activity on Windows PCs.

By communicating with a command and control server, BabyShark gains a registry key required to maintain persistence access on the network and retrieve commands from its operators.

As part of an intelligence-gathering campaign, the goal of the malware is to monitor the infected system and gather data.

Analysis of BabyShark reveals connections to other suspected North Korean hacking campaigns Stolen Pencil and KimJongRAT. BabyShark is signed with the same stolen code signing certificate used in the Stolen Pencil campaign, with the two forms of malware the only two known to use it.

SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

Meanwhile, BabyShark and KimJongRAT use the same file path for storing collected information and those behind BabyShark appear to have tested samples of anti-virus detection alongside freshly compiled samples of KimJongRAT.

The decoy files used in an attempt to deliver KimJongRAT, which also follow a very similar theme to the ones used in the BabyShark campaign, all relate to North Korea, nuclear deterrence and conferences on Asian affairs.

All of that has led researchers to the conclusion that BabyShark is another North Korean hacking campaign — one which is attempting to keep a close eye on specially selected targets.

"Well-crafted spear phishing emails and decoys suggest that the threat actor is well aware of the targets, and also closely monitors related community events to gather the latest intelligence," researchers said.


Editorial standards