S0414 BabyShark
BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. 1
| Item | Value |
|---|---|
| ID | S0414 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 07 October 2019 |
| Last Modified | 12 March 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.14 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | BabyShark has used cmd.exe to execute commands.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | BabyShark has encoded data using certutil before exfiltration.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | BabyShark has the ability to decode downloaded files prior to execution.4 |
| enterprise | T1083 | File and Directory Discovery | BabyShark has used dir to search for “programfiles” and “appdata”.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | BabyShark has cleaned up all files associated with the secondary payload execution.2 |
| enterprise | T1105 | Ingress Tool Transfer | BabyShark has downloaded additional files from the C2.24 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.2 |
| enterprise | T1057 | Process Discovery | BabyShark has executed the tasklist command.1 |
| enterprise | T1012 | Query Registry | BabyShark has executed the reg query command for HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | BabyShark has used scheduled tasks to maintain persistence.3 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.005 | Mshta | BabyShark has used mshta.exe to download and execute applications from a remote server.4 |
| enterprise | T1082 | System Information Discovery | BabyShark has executed the ver command.1 |
| enterprise | T1016 | System Network Configuration Discovery | BabyShark has executed the ipconfig /all command.1 |
| enterprise | T1033 | System Owner/User Discovery | BabyShark has executed the whoami command.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0094 | Kimsuky | 453 |
References
-
Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019. ↩↩↩↩↩↩↩↩↩↩
-
Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019. ↩↩↩
-
Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. ↩↩
-
CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. ↩↩↩↩↩
-
Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. ↩