Categories: SecurityWorkspace

Researchers Tie ‘BabyShark’ Espionage Malware To North Korea

Security researchers have identified a highly targeted espionage spear phishing campaign that may be part of an effort by North Korea to spy on research institutions.

Palo Alto Networks said at least two institutions in the US have been targeted by  convincing-looking emails that attempt to deliver a new espionage malware strain the firm calls BabyShark.

The campaign began in November of last year and is ongoing, Palo Alto said.

The firm said the BabyShark malware was being spread by emails that appear to come from an unnamed nuclear security expert who currently works as a consultant in the US.

Malicious files

The emails use a publicly available email address with the expert’s name and use a subject line alluding to North Korean nuclear issues.

The collected emails have a malicious Excel macro document attached, which, when executed, loads the Visual Basic-based BabyShark malware.

BabyShark launches from a remote location, and as such can be delivered via different attack methods.

While the current emails use malicious documents, Palo Alto found evidence the attackers are developing the capability to deliver BabyShark via Portable Executable (PE) files.

BabyShark maintains persistence on the system by altering the Windows registry and sends system information to command servers, Palo Alto said.

Academic institutions targeted

The attackers were found to have targeted at least two instutitions, a university that was planning to hold a conference on North Korean denuclearisation and a US research institute that serves as a think tank for national security issues.

The latter institute is where the nuclear expert mentioned above currently works.

Palo Alto found links between BabyShark and two other suspected North Korean malware strains, KimJongRAT and Stolen Pencil, leading the firm to believe BabyShark may also be linked to North Korea.

“We suspect that the threat actor behind BabyShark is likely connected to the same actor who used the KimJongRAT malware family, and at least shares resources with the threat actor responsible for the Stolen Pencil campaign,” the firm said in an advisory.

While the malicious emails used some publicly available information, they also used information that doesn’t appear to be public.

That means the attackers may already have compromised a target with access to private documents at the think tank as part of the campaign.

“Well-crafted spear phishing emails and decoys suggest that the threat actor is well aware of the targets, and also closely monitors related community events to gather the latest intelligence,” Palo Alto said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

So, you want to be a CIO?

The role of the CIO is evolving with more of a focus on revenue and strategy, according to the 2019…

1 day ago

Twitter Demands AI Firm Cease Facial Image Collection

Privacy concern. Cease-and-desist letter from Twitter to AI firm Clearview demands it stop collecting photos from social media platforms

1 day ago

Sonos Boss Apologises For Update Controversy

Sonos CEO says sorry for anger caused by its update policy, and says it will support legacy products “for as…

1 day ago

Apple Cautions EU About Common Charger Push

Apple has cautioned against the renewed EU push for a common mobile charger, warning that losing its Lightning port will…

2 days ago

US Tells UK It Still Has ‘Significant Concerns’ Over Huawei

With a UK decision on Huawei expected by the end of the month, US officials maintain 'significant concerns' about the…

2 days ago

Apple Fixed Tracking Flaws In Safari, But Google Director Disagrees

Google identified multiple privacy flaws in Apple's Safari browser, which the iPad maker said it has fixed, but a Google…

2 days ago