Palo Alto Network Unit 42 researchers have discovered a new type of cyber espionage phishing campaign that may be part of North Korea’s efforts to gather intel from research and think tank institutions in the US.
According to the company’s advisory, threat actors are distributing a series of spear-phishing attacks using fake email messages designed to trick recipients.
Researchers said the malware campaign, known as “BabyShark,” started in November of last year and is still ongoing.
The firm said the BabyShark malware was being distributed by emails that appear to be sent from a nuclear security expert who works as a consultant in the US.
The phishing emails are designed in such a way that they look as if they’ve been sent by the expert working as a consultant. The emails also use a subject line referencing North Korean nuclear issues.
The spear-phishing emails contain a malicious Excel macro document attached, which, when executed, loads the news Microsoft Visual Basic (VB) script-based malware.
The malware is launched by executing the first stage HTA from a remote location and sends out an HTTP GET request to another on the same C2 server that decodes the BabyShark VB script.
While the email uses a malicious document, the firm said they found evidence that threat actors are developing the capability to deliver BabyShark through Portable Executable (PE) files.
By communication with the command and control server, Babyshark gains a registry key to maintain persistence and wait for further commands from the operator, Palo Alto said.
Academic institutions targeted
The attackers targeted at least two intuitions, a university in the US which was planning to hold a conference about North Korea’s denuclearisation and a US research institute that serves as a think tank for national security issues.
The last institute mentioned is where the nuclear expert currently works, researchers said.
KimjontRAT and Stolen Pencil campaigns
Analysis of the BabyShark also reveals links to other suspected North Korean hacking campaigns, KimjongRAT, and Stolen Pencil. BabyShark is signed with the same stolen code signing certificate used in the Stolen Pencil campaign.
Meanwhile, BabyShark and KimJongRAT use the same file path for storing collected system information and the threat actors behind the BabyShark malware frequently tested its samples for detection when developing the malware. The testing samples included a freshly tested, compiled KimJongRAT.
“We suspect that the threat actor behind BabyShark is likely connected to the same actor who used the KimJongRAT malware family, and at least shares resources with the threat actor responsible for the Stolen Pencil campaign,” the firm said.
“Well-crafted spear-phishing emails and decoys suggest that the threat actor is well aware of the targets, and also closely monitors related community events to gather the latest intelligence,” Palo Alto added.