In February 2019, a new malware family named BabyShark was found targeting national security think tanks and academic institutions in the US. In the campaign, the malware was used primarily used to collect secrets and sensitive details from the targets.
However, the activities of the malware have been expanded and it is being used for other malicious purposes.
What’s the matter - According to researchers from Unit 42 of Palo Alto Networks, the operators of BabyShark malware are now targeting cryptocurrency industries with an intent to make some profit.
The recent activities of the malware observed from March 2019 to April 2019 include:
In addition to this, the malware has been found using two other malware as secondary payloads. They malware used as secondary payloads - KinJongRAT and PCRat - are referred to as ‘Cowboys’.
How is it done - The attackers are using spear phishing or watering hole attacks to target users. In the case of spear phishing, a malicious link is sent attached within an email. Whereas, in the watering hole attack, the victims are redirected to a malicious go[.]microsoft[.]com link.
Once the BabyShark malware is launched, the malware unleashes its multi-stage infection chain by performing checks between each stage. This ensures only targeted hosts are advanced to the next stage before it finally beacons back to the attackers.
“This is done by maintaining a list of blacklisted IP addresses and computer names for those who have made suspicious access attempts, such as access with invalid parameters, to the server as a possible technique meant to make analysis harder. The IP addresses and computer names in the blacklist are written in base64 encoded format at [BASE_URI]/blackip.txt,” researchers explained in a blog post.
About the Cowboys - The secondary payloads are delivered as:
“The functionality of the EXE and DLL loaders is the same: the only difference is the file type. These loaders are later run upon receiving an execution command: 'execute' to invoke the EXE type loader or 'power com' to launch the DLL type loader. We theorize the reason for having two different type loaders is to have redundancy for loading the payload in case of anti-virus software’s disruption. Either loader will load the custom encoded secondary payload, the Cowboy, in memory, decode it, and execute it,” the researchers said.
The information that the KimJongRAT steals from victim machines includes email credentials from Microsoft Outlook and Mozilla Thunderbird. The malware also pilfers system’s OS version along with login credentials for Google Facebook and Yahoo.
PCRat is a variant of Gh0stRAT malware family. It is a remote administration trojan whose source code is openly available on the internet.
The bottom line - The malware’s evolving activities shows that the malware author has made certain efforts to expand its operations to target the cryptocurrency industries. The threat actors are also leveraging other commodity and custom developed tools in this campaign.