SYMBOLCOMMON_NAMEaka. SYNONYMS
win.babyshark (Back to overview)

BabyShark

Actor(s): Kimsuky


BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator

References
2020-11-04ESTsecurityAlyac
@online{alyac:20201104:apt:668b6b4, author = {Alyac}, title = {{북한 연계 해킹조직 탈륨, 미국 대선 예측 언론 문서로 위장한 APT 공격 수행 출처}}, date = {2020-11-04}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/3352}, language = {Korean}, urldate = {2020-11-04} } 북한 연계 해킹조직 탈륨, 미국 대선 예측 언론 문서로 위장한 APT 공격 수행 출처
BabyShark
2020-11-02CybereasonAssaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
@online{dahan:20201102:back:64a6991, author = {Assaf Dahan and Lior Rochberger and Daniel Frank and Tom Fakterman}, title = {{Back to the Future: Inside the Kimsuky KGH Spyware Suite}}, date = {2020-11-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite}, language = {English}, urldate = {2020-11-02} } Back to the Future: Inside the Kimsuky KGH Spyware Suite
BabyShark GoldDragon KGH_SPY Kimsuky
2020-10-27US-CERTUS-CERT
@online{uscert:20201027:alert:cd5c1eb, author = {US-CERT}, title = {{Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky}}, date = {2020-10-27}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-301a}, language = {English}, urldate = {2020-10-29} } Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky
BabyShark Meterpreter Kimsuky
2020-03-09PWC UKKris McConkey, Sveva Vittoria Scenarelli
@online{mcconkey:20200309:tracking:5a16ab4, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2}}, date = {2020-03-09}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html}, language = {English}, urldate = {2020-07-13} } Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2
BabyShark MyDogs Kimsuky
2020-03-09PWC UKKris McConkey, Sveva Vittoria Scenarelli
@online{mcconkey:20200309:tracking:1979cbf, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1}}, date = {2020-03-09}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html}, language = {English}, urldate = {2021-05-03} } Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1
BabyShark MyDogs Kimsuky
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2019-12-18US District Court for the Eastern District of Virginia
@online{virginia:20191218:microsoft:0576bc3, author = {US District Court for the Eastern District of Virginia}, title = {{MICROSOFT CORPORATION, Plaintiff, v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS}}, date = {2019-12-18}, url = {https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1}, language = {English}, urldate = {2020-04-28} } MICROSOFT CORPORATION, Plaintiff, v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS
BabyShark Kimsuky
2019-02-22Palo Alto Networks Unit 42Unit 42
@online{42:20190222:new:7bda906, author = {Unit 42}, title = {{New BabyShark Malware Targets U.S. National Security Think Tanks}}, date = {2019-02-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/}, language = {English}, urldate = {2020-01-07} } New BabyShark Malware Targets U.S. National Security Think Tanks
BabyShark Kimsuky
2019-02-22Twitter0xffff0800
@online{0xffff0800:20190222:pe:ea39c56, author = {0xffff0800}, title = {{Tweet on PE}}, date = {2019-02-22}, organization = {Twitter}, url = {https://twitter.com/i/web/status/1099147896950185985}, language = {English}, urldate = {2020-01-08} } Tweet on PE
BabyShark
Yara Rules
[TLP:WHITE] win_babyshark_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_babyshark_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0890216d4000 40 3bc7 76f5 }
            // n = 4, score = 100
            //   0890216d4000         | or                  byte ptr [eax + 0x406d21], dl
            //   40                   | inc                 eax
            //   3bc7                 | cmp                 eax, edi
            //   76f5                 | jbe                 0xfffffff7

        $sequence_1 = { 83e01f c1f905 8b0c8d607e4000 8a44c104 83e040 c3 a1???????? }
            // n = 7, score = 100
            //   83e01f               | and                 eax, 0x1f
            //   c1f905               | sar                 ecx, 5
            //   8b0c8d607e4000       | mov                 ecx, dword ptr [ecx*4 + 0x407e60]
            //   8a44c104             | mov                 al, byte ptr [ecx + eax*8 + 4]
            //   83e040               | and                 eax, 0x40
            //   c3                   | ret                 
            //   a1????????           |                     

        $sequence_2 = { c1f805 83e61f 8d1c85607e4000 c1e603 8b03 8a443004 }
            // n = 6, score = 100
            //   c1f805               | sar                 eax, 5
            //   83e61f               | and                 esi, 0x1f
            //   8d1c85607e4000       | lea                 ebx, [eax*4 + 0x407e60]
            //   c1e603               | shl                 esi, 3
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8a443004             | mov                 al, byte ptr [eax + esi + 4]

        $sequence_3 = { 8a9405ecfcffff ebe3 80a0206c400000 40 41 41 }
            // n = 6, score = 100
            //   8a9405ecfcffff       | mov                 dl, byte ptr [ebp + eax - 0x314]
            //   ebe3                 | jmp                 0xffffffe5
            //   80a0206c400000       | and                 byte ptr [eax + 0x406c20], 0
            //   40                   | inc                 eax
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx

        $sequence_4 = { 8088216d400004 40 ebee 6a40 33c0 59 bf???????? }
            // n = 7, score = 100
            //   8088216d400004       | or                  byte ptr [eax + 0x406d21], 4
            //   40                   | inc                 eax
            //   ebee                 | jmp                 0xfffffff0
            //   6a40                 | push                0x40
            //   33c0                 | xor                 eax, eax
            //   59                   | pop                 ecx
            //   bf????????           |                     

        $sequence_5 = { 8ac8 80e920 ebe0 80a0206c400000 40 3bc6 72be }
            // n = 7, score = 100
            //   8ac8                 | mov                 cl, al
            //   80e920               | sub                 cl, 0x20
            //   ebe0                 | jmp                 0xffffffe2
            //   80a0206c400000       | and                 byte ptr [eax + 0x406c20], 0
            //   40                   | inc                 eax
            //   3bc6                 | cmp                 eax, esi
            //   72be                 | jb                  0xffffffc0

        $sequence_6 = { 8bf2 c1f805 83e61f 8b0485607e4000 8b04f0 83f8ff 7404 }
            // n = 7, score = 100
            //   8bf2                 | mov                 esi, edx
            //   c1f805               | sar                 eax, 5
            //   83e61f               | and                 esi, 0x1f
            //   8b0485607e4000       | mov                 eax, dword ptr [eax*4 + 0x407e60]
            //   8b04f0               | mov                 eax, dword ptr [eax + esi*8]
            //   83f8ff               | cmp                 eax, -1
            //   7404                 | je                  6

        $sequence_7 = { eb26 8d4508 8db674624000 6a00 50 ff36 }
            // n = 6, score = 100
            //   eb26                 | jmp                 0x28
            //   8d4508               | lea                 eax, [ebp + 8]
            //   8db674624000         | lea                 esi, [esi + 0x406274]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ff36                 | push                dword ptr [esi]

        $sequence_8 = { 0f879a060000 ff2485271a4000 834df0ff 8955cc }
            // n = 4, score = 100
            //   0f879a060000         | ja                  0x6a0
            //   ff2485271a4000       | jmp                 dword ptr [eax*4 + 0x401a27]
            //   834df0ff             | or                  dword ptr [ebp - 0x10], 0xffffffff
            //   8955cc               | mov                 dword ptr [ebp - 0x34], edx

        $sequence_9 = { 721d 83f924 7718 c705????????0d000000 c3 8b04d5c4684000 }
            // n = 6, score = 100
            //   721d                 | jb                  0x1f
            //   83f924               | cmp                 ecx, 0x24
            //   7718                 | ja                  0x1a
            //   c705????????0d000000     |     
            //   c3                   | ret                 
            //   8b04d5c4684000       | mov                 eax, dword ptr [edx*8 + 0x4068c4]

    condition:
        7 of them and filesize < 65272
}
Download all Yara Rules