loader gif

BabyShark Malware – Attacks Continue Using KimJongRAT and PCRat

BabyShark Malware – Attacks Continue Using KimJongRAT and PCRat (Malware and Vulnerabilities)

While tracking the latest activities of the threat group, Unit 42 researchers were able to collect both the BabyShark malware’s server-side and client-side files, as well as two encoded secondary PE payload files that the malware installs on the victim hosts upon receiving an operator’s command. Based on our research, it appears the malware author calls the encoded secondary payload “Cowboy” regardless of what malware family is delivered. In our analysis, we found BabyShark attacks were using KimJongRAT and PCRat as the encoded secondary payload and thus were the “Cowboys”. Command Name Description getfiles Archive all files in the BabyShark base path as a ZIP archive, then upload to the C2 exe_down Download files for secondary payload: – a Cowboy, a custom encoded PE payload – an EXE type loader which decodes and loads Cowboy in memory – a DLL type loader which decodes and loads Cowboy in memory redirect_vbs Purpose of this command is not clear as key file is missing, but it is likely for changing C2 path

loader gif