Targeted APT Activity: BABYSHARK Is Out for Blood
Contents
tl;dr: This blog follows the ThreatOps investigation of targeted DPRK (North Korean) backed cyber espionage efforts against Nuclear Think Tanks. It details the threat hunt from beginning to end, including how our ThreatOps analysts found the threat, how our team peeled back the layers to analyze the malicious activity and how the threat actors phished their way into the partner's network in the first place. Scroll to the bottom for indicators of compromise.
On February 16, Huntress discovered malicious and targeted advanced persistent threat (APT) activity within a trialing partner organization. This activity aligns with known tradecraft attributed to North Korean threat actors targeting national security think tanks.
The uncovered malware family, dubbed BABYSHARK by other researchers, is used by a DPRK state-sponsored threat actor. This variant was significantly customized and tailored to the specific victim environment, indicating a targeted attack.
In this blog, we'll pull back the curtain on the technical details, …
On February 16, Huntress discovered malicious and targeted advanced persistent threat (APT) activity within a trialing partner organization. This activity aligns with known tradecraft attributed to North Korean threat actors targeting national security think tanks.
The uncovered malware family, dubbed BABYSHARK by other researchers, is used by a DPRK state-sponsored threat actor. This variant was significantly customized and tailored to the specific victim environment, indicating a targeted attack.
In this blog, we'll pull back the curtain on the technical details, …
IoC
2ad3266331e405677c68bb43c490467107ca398d3ce430080a4db92036c93160
5b31d65b0607ae3de40ff8376bb83f3ff4defba3b564c380be5514d9766978ea
bf82675bac2cd574fa8b87659217bffb29d4bc49b355b405ac4cd2666cd72f5a
c327631a212e4a9681e3cf1574c500ce3700186cc605ae08db5878ecb0bfe66f
c86d6e9dfc79bdf29f0826327992f8cf3df3e1ed6b41f1c8f6ee67b32bef3a6b
d41c943fd5ffacde74f487df6a43b72e9730f05812b9b1f8dc874bd486f182b3
def0975728fc5da61c022bb62b7160e2764631b852ec7f83951263c7830bec8d
e08fe0b287b4d112514276c2b102b9c80b4dab73257f06ab24231329389ad931
e314b40449b7b9b84f20f49f89888511433573377e007e5c1e94fd84ecf17caf
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
http://111/alex/expres.php?op=2
http://beastmodser.club
http://beastmodser.club/sil/0304/VOA_Korea.docx
http://hodbeast.com
http://worldinfocontact.club
https://beastmodser.club/sil/0304/d.php?na=version.gif
https://frebough.com/onedrive/winmm.php?op=
https://hodbeast.com/silver/upload.php
5b31d65b0607ae3de40ff8376bb83f3ff4defba3b564c380be5514d9766978ea
bf82675bac2cd574fa8b87659217bffb29d4bc49b355b405ac4cd2666cd72f5a
c327631a212e4a9681e3cf1574c500ce3700186cc605ae08db5878ecb0bfe66f
c86d6e9dfc79bdf29f0826327992f8cf3df3e1ed6b41f1c8f6ee67b32bef3a6b
d41c943fd5ffacde74f487df6a43b72e9730f05812b9b1f8dc874bd486f182b3
def0975728fc5da61c022bb62b7160e2764631b852ec7f83951263c7830bec8d
e08fe0b287b4d112514276c2b102b9c80b4dab73257f06ab24231329389ad931
e314b40449b7b9b84f20f49f89888511433573377e007e5c1e94fd84ecf17caf
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
http://111/alex/expres.php?op=2
http://beastmodser.club
http://beastmodser.club/sil/0304/VOA_Korea.docx
http://hodbeast.com
http://worldinfocontact.club
https://beastmodser.club/sil/0304/d.php?na=version.gif
https://frebough.com/onedrive/winmm.php?op=
https://hodbeast.com/silver/upload.php