BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat
Contents
This post is also available in: 日本語 (Japanese)
Executive Summary
In February 2019, Unit 42 published a blog about the BabyShark malware family and the associated spear phishing campaigns targeting U.S. national think tanks. Since that publication, malicious attacks leveraging BabyShark have continued through March and April 2019. The attackers expanded targeting to the cryptocurrency industry, showing that those behind these attacks also have interests in financial gain.
While tracking the latest activities of the threat group, Unit 42 researchers were able to collect both the BabyShark malware’s server-side and client-side files, as well as two encoded secondary PE payload files that the malware installs on the victim hosts upon receiving an operator’s command. By analyzing the files, we were able to further understand the overall multi-staging structure of the BabyShark malware and features, such as how it attempts to maintain operational security and supported remote administration commands. Based on our research, it …
Executive Summary
In February 2019, Unit 42 published a blog about the BabyShark malware family and the associated spear phishing campaigns targeting U.S. national think tanks. Since that publication, malicious attacks leveraging BabyShark have continued through March and April 2019. The attackers expanded targeting to the cryptocurrency industry, showing that those behind these attacks also have interests in financial gain.
While tracking the latest activities of the threat group, Unit 42 researchers were able to collect both the BabyShark malware’s server-side and client-side files, as well as two encoded secondary PE payload files that the malware installs on the victim hosts upon receiving an operator’s command. By analyzing the files, we were able to further understand the overall multi-staging structure of the BabyShark malware and features, such as how it attempts to maintain operational security and supported remote administration commands. Based on our research, it …
IoC
173.248.170.149
33ce9bcaeb0733a77ff0d85263ce03502ac20873bf58a118d1810861caced254
4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7
75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5
bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1
bde663d08d4e2e17940d890ccf2e6e74
d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712
d742aa65c4880f85ae43feebb0781b67
daab894b81cc375f0684ae66981b357d
f86d05c1d7853c06fc5561f8df19b53506b724a83bb29c69b39f004a0f7f82d8
http://173.248.170.149:80
33ce9bcaeb0733a77ff0d85263ce03502ac20873bf58a118d1810861caced254
4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7
75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5
bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1
bde663d08d4e2e17940d890ccf2e6e74
d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712
d742aa65c4880f85ae43feebb0781b67
daab894b81cc375f0684ae66981b357d
f86d05c1d7853c06fc5561f8df19b53506b724a83bb29c69b39f004a0f7f82d8
http://173.248.170.149:80