BabyShark Remote Access Trojan

BabyShark is a new remote access trojan first seen in November 2018 targeting government organisations. It shares infrastructure associated with previous KimJongRAT and STOLEN PENCIL campaigns.

BabyShark is distributed via targeted email campaigns as a malicious attachment. When opened, the attachment connects to and executes an HTA file from a remote location. This application then makes a series of HTTP GET requests to another location to decode and execute the main BabyShark script.

Once successfully established, BabyShark makes changes to the user’s registry settings to disable future macro warnings and maintain persistence, before executing a series of Windows commands to collect information about the infected system. This information is then encoded and uploaded to a command and control (C2) server. BabyShark has the functionality to perform other commands provided to it from the C2 server, although at the time of publication no other commands have been observed.

Indicators of Compromise

URLs

• tdalpacafarm[.]com/files/kr/contents/Vkggy0.hta
• tdalpacafarm[.]com/files/kr/contents/upload.php
• tdalpacafarm[.]com/files/kr/contents/Usoro.hta

Filenames

• Oct_Bld_full_view.docm

SHA256 File Hashes

• 7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa
• 9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8
• 2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e
• 66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2
• 8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6
• 331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7
• 1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0
• dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a
• 94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0
• 6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c