Skip to content

S0414 BabyShark

BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. 1

Item Value
ID S0414
Associated Names
Version 1.2
Created 07 October 2019
Last Modified 12 March 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.14
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell BabyShark has used cmd.exe to execute commands.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding BabyShark has encoded data using certutil before exfiltration.1
enterprise T1140 Deobfuscate/Decode Files or Information BabyShark has the ability to decode downloaded files prior to execution.4
enterprise T1083 File and Directory Discovery BabyShark has used dir to search for “programfiles” and “appdata”.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion BabyShark has cleaned up all files associated with the secondary payload execution.2
enterprise T1105 Ingress Tool Transfer BabyShark has downloaded additional files from the C2.24
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.2
enterprise T1057 Process Discovery BabyShark has executed the tasklist command.1
enterprise T1012 Query Registry BabyShark has executed the reg query command for HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task BabyShark has used scheduled tasks to maintain persistence.3
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta BabyShark has used mshta.exe to download and execute applications from a remote server.4
enterprise T1082 System Information Discovery BabyShark has executed the ver command.1
enterprise T1016 System Network Configuration Discovery BabyShark has executed the ipconfig /all command.1
enterprise T1033 System Owner/User Discovery BabyShark has executed the whoami command.1

Groups That Use This Software

ID Name References
G0094 Kimsuky 453