Skip to main content

BabyShark Remote Access Trojan

BabyShark is a new remote access trojan first seen in November 2018 targeting government organisations. It shares infrastructure associated with previous KimJongRAT and STOLEN PENCIL campaigns.

Threat ID:
CC-2954
Category:
Trojan
Threat Severity:
Medium
Threat Vector:
Email
Published:
28 February 2019 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

BabyShark is a new remote access trojan first seen in November 2018 targeting government organisations. It shares infrastructure associated with previous KimJongRAT and STOLEN PENCIL campaigns.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

BabyShark is distributed via targeted email campaigns as a malicious attachment. When opened, the attachment connects to and executes an HTA file from a remote location. This application then makes a series of HTTP GET requests to another location to decode and execute the main BabyShark script.

Once successfully established, BabyShark makes changes to the user’s registry settings to disable future macro warnings and maintain persistence, before executing a series of Windows commands to collect information about the infected system. This information is then encoded and uploaded to a command and control (C2) server. BabyShark has the functionality to perform other commands provided to it from the C2 server, although at the time of publication no other commands have been observed.

Update  

New BabyShark campaigns have been observed delivering both KimJongRAT and PCRat to affected systems as well as using a new keylogging function post-infection.

The campaigns are using a number of new PowerShell and VBS commands issued by the operator to download and install a custom encoded portable executable called Cowboy, containing either KimJongRAt or PCRat, along with a DLL to decode it. There does not seem to be any reasoning behind which Cowboy version BabyShark installs on an affected system.

Remediation steps

Type Step

To prevent and detect a trojan infection, ensure that:

  • A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • All operating systems, anti-virus and other security products are kept up-to-date.
  • Regular anti-virus and security scans are performed on your organisation’s estate.
  • All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
  • Strong password policies are in place.
  • Network, proxy and firewall logs should be monitored for suspicious activity.
  • User accounts accessed from affected devices should be reset on a clean computer.
  • Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

 

1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0
2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e
331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7
33ce9bcaeb0733a77ff0d85263ce03502ac20873bf58a118d1810861caced254
4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7
66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2
6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c
75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5
7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa
8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6
94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0
9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8
bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1
d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712
dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a
f86d05c1d7853c06fc5561f8df19b53506b724a83bb29c69b39f004a0f7f82d8

Last edited: 14 February 2020 2:51 pm