Categories: SecurityWorkspace

Researchers Tie ‘BabyShark’ Espionage Malware To North Korea

Security researchers have identified a highly targeted espionage spear phishing campaign that may be part of an effort by North Korea to spy on research institutions.

Palo Alto Networks said at least two institutions in the US have been targeted by  convincing-looking emails that attempt to deliver a new espionage malware strain the firm calls BabyShark.

The campaign began in November of last year and is ongoing, Palo Alto said.

The firm said the BabyShark malware was being spread by emails that appear to come from an unnamed nuclear security expert who currently works as a consultant in the US.

Malicious files

The emails use a publicly available email address with the expert’s name and use a subject line alluding to North Korean nuclear issues.

The collected emails have a malicious Excel macro document attached, which, when executed, loads the Visual Basic-based BabyShark malware.

BabyShark launches from a remote location, and as such can be delivered via different attack methods.

While the current emails use malicious documents, Palo Alto found evidence the attackers are developing the capability to deliver BabyShark via Portable Executable (PE) files.

BabyShark maintains persistence on the system by altering the Windows registry and sends system information to command servers, Palo Alto said.

Academic institutions targeted

The attackers were found to have targeted at least two instutitions, a university that was planning to hold a conference on North Korean denuclearisation and a US research institute that serves as a think tank for national security issues.

The latter institute is where the nuclear expert mentioned above currently works.

Palo Alto found links between BabyShark and two other suspected North Korean malware strains, KimJongRAT and Stolen Pencil, leading the firm to believe BabyShark may also be linked to North Korea.

“We suspect that the threat actor behind BabyShark is likely connected to the same actor who used the KimJongRAT malware family, and at least shares resources with the threat actor responsible for the Stolen Pencil campaign,” the firm said in an advisory.

While the malicious emails used some publicly available information, they also used information that doesn’t appear to be public.

That means the attackers may already have compromised a target with access to private documents at the think tank as part of the campaign.

“Well-crafted spear phishing emails and decoys suggest that the threat actor is well aware of the targets, and also closely monitors related community events to gather the latest intelligence,” Palo Alto said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago