BabyShark

BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. [1]

ID: S0414
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 07 October 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

BabyShark has used cmd.exe to execute commands.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

BabyShark has encoded data using certutil before exfiltration.[1]

Enterprise T1083 File and Directory Discovery

BabyShark has used dir to search for "programfiles" and "appdata".[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

BabyShark has cleaned up all files associated with the secondary payload execution.[2]

Enterprise T1105 Ingress Tool Transfer

BabyShark has downloaded additional files from the C2.[2]

Enterprise T1056 .001 Input Capture: Keylogging

BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.[2]

Enterprise T1057 Process Discovery

BabyShark has executed the tasklist command.[1]

Enterprise T1012 Query Registry

BabyShark has executed the reg query command for HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default.[1]

Enterprise T1082 System Information Discovery

BabyShark has executed the ver command.[1]

Enterprise T1016 System Network Configuration Discovery

BabyShark has executed the ipconfig /all command.[1]

Enterprise T1033 System Owner/User Discovery

BabyShark has executed the whoami command.[1]

References