Palo Alto Networks’ Unit 42 researchers announced on Friday that they have identified a spear phishing campaign from November 2018 that is targeting U.S. national security think tanks and academic institutions. Research indicates that the “threat actor might have interests in gathering intelligence related to not only North Korea, but possibly wider in the Northeast Asia region.”
The spear phishing emails contain malware dubbed BabyShark (doo doo doo doo doo doo) that “shares infrastructure with playbooks associated with North Korean campaigns,” according to Unit 42. In a blog post, Unit 42 explained that the spear-phishing emails were designed to appear as though they were from a nuclear security expert who currently works as a consultant in the United States and were sent using a public email address with the expert’s name and had a subject line referencing North Korea’s nuclear issues. “The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family,” Unit 42 explained.
Unit 42 explained that BabyShark is a fairly new malware with the earliest sample seen in Nov. 2018. It is launched by executing the first stage HTA, a file extension for an HTML executable file format, from a remote location. This means that it can be delivered via a variety of file types, including Portable Executable files and malicious documents. “It exfiltrates system information to [a] C2 [command-and-control] server, maintains persistence on the system, and waits for further instruction from the operator,” Unit 42 explained.
Researchers were able to determine that the phishing emails targeted a United States university that was going to hold a conference regarding a North Korea denuclearization issue and a national security think tank based in the United States, where the previously referenced nuclear expert currently works.
“Expanding our search to public repository samples, we identified additional malicious document samples delivering BabyShark,” Unit 42 researchers explained. “The original file names and decoy contents of these samples suggested that the threat actor might have interests in gathering intelligence related to not only North Korea, but possibly wider in the Northeast Asia region.”
Researchers were also able to find links between BabyShark and other suspected North Korean malicious cyber activities, such as KimJongRAT and STOLEN PENCIL.