BabyShark

Posted: June 7, 2019

BabyShark is a VisualBasic-based backdoor Trojan that can give a remote attacker your system information and accept configurable commands for other attacks. Its payloads generally include dropping other threats with system-controlling features, such as Remote Access Trojans. Users should check their browser and e-mail environments for potential vulnerabilities and use anti-malware services for deleting BabyShark if it does appear.

The Baby's All Grown Up and Comes with RATs

In 2018, it became apparent that threat actors with motivations for seeking information concerning security details for the Korean peninsula and nearby Asian nations were deploying a new Trojan for that purpose. The backdoor Trojan, BabyShark, showed its hand quickly, with ties to older threats like the KimJongRAT and well-defined phishing techniques. However, it's still active a year late, with an expanded payload and mission scope.

Along with the previously-noted targets, BabyShark also has an interest in the cryptocurrency sector, which malware experts glean from the documents associated with its delivery. These phishing e-mails include both private and public content that the hackers hijack and re-purpose for delivering the Trojan through macros embedded into Excel spreadsheets. This attack is a typical introduction method for state-sponsored and espionage-based threats.

The other evolution in BabyShark's payload is the secondary Trojans that it drops. Besides supporting an extensible framework for attack commands, BabyShark installs persistent Remote Access Trojans: KimJongRAT and PCRat. The former is interesting – since malware experts confirm similar file path structures between BabyShark and the first RAT – which, in other circumstances, could have implied that BabyShark was an upgrade or replacement.

Although it isn't a complete or exhaustive list, some of the default commands in past BabyShark infections are well-defined. These functions include VisualBasic and PowerShell options for loading Trojans into memory directly, changing the Command & Control target domain, uploading files from the infected PC and keylogging.

Hunting Down Trojanized Sealife

Much like real-world aquatic life can come with parasites attached, BabyShark infections imply the presence of other threats that can give threat actors administrative panel control over Windows PCs. The keylogging and uploading components of BabyShark, also, make it very likely that any hackers will collect information, such as passwords, with a minimum of trouble. The use of memory injection, while an expected feature, remains powerful at preventing visual identification of these new Trojans, who will not display files or separate processes.

Phishing e-mail attacks involving BabyShark may theme themselves after cryptocurrency gambling services, conference schedules concerning Asian politics, or even private articles that are specific to the organization or receiving worker. Malware experts continue recommending against enabling macros since doing so is the first step to facilitating a BabyShark drive-by-download, which enables further macro-based exploits without requiring additional permission. Professional anti-malware utilities can remove BabyShark and the accompanying RATs as a last resort.

That BabyShark is branching out from political targets to financial ones makes its campaign a little more unpredictable than is usual for a backdoor Trojan of its history. What's beyond question is that its threat actors are getting the information they want out of their attacks, thanks to victims who walk their way into 'in plain sight' traps like corrupted documents.