New Spear Phishing campaign targets US national security think tanks with BabyShark malware

• Researchers recently observed a spear phishing campaign containing a new malware dubbed ‘BabyShark’.
• Researchers noted that the spear phishing campaign targets national security think tanks and research institutions in the US.

Researchers from Palo Alto Networks observed a spear phishing campaign containing a new malware dubbed ‘BabyShark’. Researchers noted that the spear phishing campaign targets national security think tanks and research institutions in the US.

Worth noting

• The spear phishing emails purported to be from a nuclear security expert who currently works as a consultant in the US.
• The phishing emails were sent from a public email address with the nuclear security expert’s name.
• The emails contained subjects referencing North Korean nuclear issues.
• The emails included a Microsoft Excel document attachment with malicious macros.
• The malicious macros when enabled, downloads and executes a new Microsoft Visual Basic (VB) script-based malware dubbed ‘BabyShark’.

Why it matters - The phishing emails targeted universities and research institutes in the US.

• The emails were sent to a University in the US while it had to conduct a conference on North Korea denuclearization issue.
• The emails also targeted a research institute in the US which serves as a think tank for national security issues.

What it reveals - Analysis of BabyShark malware revealed connections with other North Korean activities - KimJongRAT and STOLEN PENCIL campaign.

• BabyShark and KimJongRAT use the same path file for storing collected system information.
• KimJongRAT also targeted national security think tanks.
• The attackers behind BabyShark frequently tested its samples for antivirus detection, which included a freshly compiled KimJongRat sample.
• BabyShark sample was signed with a stolen certificate that was used in the STOLEN PENCIL campaign.

“While not conclusive, we suspect that the threat actor behind BabyShark is likely connected to the same actor who used the KimJongRAT malware family, and at least shares resources with the threat actor responsible for the STOLEN PENCIL campaign,” Researchers from Palo Alto networks said.

What's the conclusion - While most of the content used in the phishing emails were publicly available information on the internet, some content was non-public. This implies that the attacker behind the spear phishing campaign has most likely compromised someone from the US national security think tank who had access to private information.

“The threat actor behind it has a clear focus on gathering intelligence related to Northeast Asia’s national security issues. Well-crafted spear phishing emails and decoys suggest that the threat actor is well aware of the targets, and also closely monitors related community events to gather the latest intelligence,” researchers noted.