Categories: SecurityWorkspace

Researchers Tie ‘BabyShark’ Espionage Malware To North Korea

Security researchers have identified a highly targeted espionage spear phishing campaign that may be part of an effort by North Korea to spy on research institutions.

Palo Alto Networks said at least two institutions in the US have been targeted by  convincing-looking emails that attempt to deliver a new espionage malware strain the firm calls BabyShark.

The campaign began in November of last year and is ongoing, Palo Alto said.

The firm said the BabyShark malware was being spread by emails that appear to come from an unnamed nuclear security expert who currently works as a consultant in the US.

Malicious files

The emails use a publicly available email address with the expert’s name and use a subject line alluding to North Korean nuclear issues.

The collected emails have a malicious Excel macro document attached, which, when executed, loads the Visual Basic-based BabyShark malware.

BabyShark launches from a remote location, and as such can be delivered via different attack methods.

While the current emails use malicious documents, Palo Alto found evidence the attackers are developing the capability to deliver BabyShark via Portable Executable (PE) files.

BabyShark maintains persistence on the system by altering the Windows registry and sends system information to command servers, Palo Alto said.

Academic institutions targeted

The attackers were found to have targeted at least two instutitions, a university that was planning to hold a conference on North Korean denuclearisation and a US research institute that serves as a think tank for national security issues.

The latter institute is where the nuclear expert mentioned above currently works.

Palo Alto found links between BabyShark and two other suspected North Korean malware strains, KimJongRAT and Stolen Pencil, leading the firm to believe BabyShark may also be linked to North Korea.

“We suspect that the threat actor behind BabyShark is likely connected to the same actor who used the KimJongRAT malware family, and at least shares resources with the threat actor responsible for the Stolen Pencil campaign,” the firm said in an advisory.

While the malicious emails used some publicly available information, they also used information that doesn’t appear to be public.

That means the attackers may already have compromised a target with access to private documents at the think tank as part of the campaign.

“Well-crafted spear phishing emails and decoys suggest that the threat actor is well aware of the targets, and also closely monitors related community events to gather the latest intelligence,” Palo Alto said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

NHS Covid-19 Tracing App For England, Wales, Nears Launch

Date for limited rollout of delayed NHS track and trace app for England and Wales…

3 days ago

Coronavirus: Facebook Staff To Work From Home Until July 2021

Facebook follows Google lead by extending right of staffers to work from home until July…

3 days ago

Canon Suffers Ransomware Attack, With 10TB Of Data Stolen – Report

Report suggests Canon has been crippled with a ransomware attack with allegedly 10TB of data,…

4 days ago

Uber Expands UK Reach With Autocab Buy

Amid consolidation in the taxi sector caused by Coronavirus lockdown, Uber purchases British rival Autocab…

4 days ago

TikTok Selects Ireland For First European Data Centre

Ireland to get another data centre after the Chinese-owned short video app TikTok announces first…

4 days ago