New BabyShark Malware Targets U.S. National Security Think Tanks
Contents
This post is also available in: 日本語 (Japanese)
In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing “BabyShark”.
BabyShark is a relatively new malware. The earliest sample we found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from …
In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing “BabyShark”.
BabyShark is a relatively new malware. The earliest sample we found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from …
IoC
0c8f17b2130addebcb2ca75bd7a982e37ddcc49d49e79fe60e3fda767f2ec972
1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0
1ad53f5ff0a782fec3bce952035bc856dd940899662f9326e01cb24af4de413d
2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e
331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7
52b898adaaf2da71c5ad6b3dfd3ecf64623bedf505eae51f9769918dbfb6b731
66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2
6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c
7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa
8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6
94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0
9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8
b3e85c569e89b6d409841463acb311839356c950d9eb64b9687ddc6a71d1b01b
c4547c917d8a9e027191d99239843d511328f9ec6278009d83b3b2b8349011a0
dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a
https://tdalpacafarm.com/files/kr/contents/Usoro.hta
https://tdalpacafarm.com/files/kr/contents/Vkggy0.hta
https://tdalpacafarm.com/files/kr/contents/upload.php
1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0
1ad53f5ff0a782fec3bce952035bc856dd940899662f9326e01cb24af4de413d
2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e
331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7
52b898adaaf2da71c5ad6b3dfd3ecf64623bedf505eae51f9769918dbfb6b731
66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2
6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c
7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa
8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6
94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0
9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8
b3e85c569e89b6d409841463acb311839356c950d9eb64b9687ddc6a71d1b01b
c4547c917d8a9e027191d99239843d511328f9ec6278009d83b3b2b8349011a0
dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a
https://tdalpacafarm.com/files/kr/contents/Usoro.hta
https://tdalpacafarm.com/files/kr/contents/Vkggy0.hta
https://tdalpacafarm.com/files/kr/contents/upload.php