Researchers Tie ‘BabyShark’ Espionage Malware To North Korea

Security researchers have identified a highly targeted espionage spear phishing campaign that may be part of an effort by North Korea to spy on research institutions.

Palo Alto Networks said at least two institutions in the US have been targeted by  convincing-looking emails that attempt to deliver a new espionage malware strain the firm calls BabyShark.

The campaign began in November of last year and is ongoing, Palo Alto said.

The firm said the BabyShark malware was being spread by emails that appear to come from an unnamed nuclear security expert who currently works as a consultant in the US.

Malicious files

The emails use a publicly available email address with the expert’s name and use a subject line alluding to North Korean nuclear issues.

The collected emails have a malicious Excel macro document attached, which, when executed, loads the Visual Basic-based BabyShark malware.

BabyShark launches from a remote location, and as such can be delivered via different attack methods.

While the current emails use malicious documents, Palo Alto found evidence the attackers are developing the capability to deliver BabyShark via Portable Executable (PE) files.

BabyShark maintains persistence on the system by altering the Windows registry and sends system information to command servers, Palo Alto said.

Academic institutions targeted

The attackers were found to have targeted at least two instutitions, a university that was planning to hold a conference on North Korean denuclearisation and a US research institute that serves as a think tank for national security issues.

The latter institute is where the nuclear expert mentioned above currently works.

Palo Alto found links between BabyShark and two other suspected North Korean malware strains, KimJongRAT and Stolen Pencil, leading the firm to believe BabyShark may also be linked to North Korea.

“We suspect that the threat actor behind BabyShark is likely connected to the same actor who used the KimJongRAT malware family, and at least shares resources with the threat actor responsible for the Stolen Pencil campaign,” the firm said in an advisory.

While the malicious emails used some publicly available information, they also used information that doesn’t appear to be public.

That means the attackers may already have compromised a target with access to private documents at the think tank as part of the campaign.

“Well-crafted spear phishing emails and decoys suggest that the threat actor is well aware of the targets, and also closely monitors related community events to gather the latest intelligence,” Palo Alto said.