Categories: SecurityWorkspace

Researchers Tie ‘BabyShark’ Espionage Malware To North Korea

Security researchers have identified a highly targeted espionage spear phishing campaign that may be part of an effort by North Korea to spy on research institutions.

Palo Alto Networks said at least two institutions in the US have been targeted by  convincing-looking emails that attempt to deliver a new espionage malware strain the firm calls BabyShark.

The campaign began in November of last year and is ongoing, Palo Alto said.

The firm said the BabyShark malware was being spread by emails that appear to come from an unnamed nuclear security expert who currently works as a consultant in the US.

Malicious files

The emails use a publicly available email address with the expert’s name and use a subject line alluding to North Korean nuclear issues.

The collected emails have a malicious Excel macro document attached, which, when executed, loads the Visual Basic-based BabyShark malware.

BabyShark launches from a remote location, and as such can be delivered via different attack methods.

While the current emails use malicious documents, Palo Alto found evidence the attackers are developing the capability to deliver BabyShark via Portable Executable (PE) files.

BabyShark maintains persistence on the system by altering the Windows registry and sends system information to command servers, Palo Alto said.

Academic institutions targeted

The attackers were found to have targeted at least two instutitions, a university that was planning to hold a conference on North Korean denuclearisation and a US research institute that serves as a think tank for national security issues.

The latter institute is where the nuclear expert mentioned above currently works.

Palo Alto found links between BabyShark and two other suspected North Korean malware strains, KimJongRAT and Stolen Pencil, leading the firm to believe BabyShark may also be linked to North Korea.

“We suspect that the threat actor behind BabyShark is likely connected to the same actor who used the KimJongRAT malware family, and at least shares resources with the threat actor responsible for the Stolen Pencil campaign,” the firm said in an advisory.

While the malicious emails used some publicly available information, they also used information that doesn’t appear to be public.

That means the attackers may already have compromised a target with access to private documents at the think tank as part of the campaign.

“Well-crafted spear phishing emails and decoys suggest that the threat actor is well aware of the targets, and also closely monitors related community events to gather the latest intelligence,” Palo Alto said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

EU Deepens Investigation Into Elon Musk’s X

European Commission adds “additional investigatory measures to X” as part of its ongoing DSA investigation

1 day ago

Supreme Court Rules TikTok Can Be Banned in US

Ruling from Supreme Court upholds nationwide ban on TikTok unless ByteDance sells, but official says…

1 day ago

Apple Suspends AI-Generated News Notifications After Errors

After complaint from BBC, Apple opts to suspending artificial intelligence feature after inaccurate summaries of…

1 day ago

TikTok Prepares To Shutdown App In US On Sunday – Report

As an advisor says Trump is exploring options to 'preserve' TikTok, reports suggest app is…

2 days ago

BT Abandons Plan To Turn Roadside Cabinets Into EV Chargers

BT throws in the towel to install 60,000 EV chargers utilising roadside cabinets, after installing…

2 days ago

Biden Signs Executive Order To Bolster US Cyber Defences

In its final few days, Biden Administration delivers another executive order focused on bolstering cybersecurity…

2 days ago