SYMBOLCOMMON_NAMEaka. SYNONYMS
win.babyshark (Back to overview)

BabyShark

Actor(s): Kimsuki


BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator

References
2020-03-09PWC UKKris McConkey, Sveva Vittoria Scenarelli
@online{mcconkey:20200309:tracking:5a16ab4, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2}}, date = {2020-03-09}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html}, language = {English}, urldate = {2020-07-13} } Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2
BabyShark MyDogs Kimsuky
2020-03-09PWC UKKris McConkey, Sveva Vittoria Scenarelli
@online{mcconkey:20200309:tracking:1979cbf, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Parts 1 and 2}}, date = {2020-03-09}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html}, language = {English}, urldate = {2020-07-11} } Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Parts 1 and 2
BabyShark MyDogs Kimsuky
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2019-12-18US District Court for the Eastern District of Virginia
@online{virginia:20191218:microsoft:0576bc3, author = {US District Court for the Eastern District of Virginia}, title = {{MICROSOFT CORPORATION, Plaintiff, v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS}}, date = {2019-12-18}, url = {https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1}, language = {English}, urldate = {2020-04-28} } MICROSOFT CORPORATION, Plaintiff, v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS
BabyShark Kimsuky
2019-02-22Palo Alto Networks Unit 42Unit 42
@online{42:20190222:new:7bda906, author = {Unit 42}, title = {{New BabyShark Malware Targets U.S. National Security Think Tanks}}, date = {2019-02-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/}, language = {English}, urldate = {2020-01-07} } New BabyShark Malware Targets U.S. National Security Think Tanks
BabyShark Kimsuky
2019-02-22Twitter0xffff0800
@online{0xffff0800:20190222:pe:ea39c56, author = {0xffff0800}, title = {{Tweet on PE}}, date = {2019-02-22}, organization = {Twitter}, url = {https://twitter.com/i/web/status/1099147896950185985}, language = {English}, urldate = {2020-01-08} } Tweet on PE
BabyShark
Yara Rules
[TLP:WHITE] win_babyshark_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_babyshark_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d0c49 5e 8d0c8dc8614000 3bc1 }
            // n = 4, score = 100
            //   8d0c49               | lea                 ecx, [ecx + ecx*2]
            //   5e                   | pop                 esi
            //   8d0c8dc8614000       | lea                 ecx, [ecx*4 + 0x4061c8]
            //   3bc1                 | cmp                 eax, ecx

        $sequence_1 = { c705????????0d000000 c3 8b04d5c4684000 a3???????? c3 }
            // n = 5, score = 100
            //   c705????????0d000000     |     
            //   c3                   | ret                 
            //   8b04d5c4684000       | mov                 eax, dword ptr [edx*8 + 0x4068c4]
            //   a3????????           |                     
            //   c3                   | ret                 

        $sequence_2 = { 46 8a10 40 0fb6da f683216d400004 740c ff01 }
            // n = 7, score = 100
            //   46                   | inc                 esi
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   40                   | inc                 eax
            //   0fb6da               | movzx               ebx, dl
            //   f683216d400004       | test                byte ptr [ebx + 0x406d21], 4
            //   740c                 | je                  0xe
            //   ff01                 | inc                 dword ptr [ecx]

        $sequence_3 = { 46 8a10 40 0fb6da f683216d400004 }
            // n = 5, score = 100
            //   46                   | inc                 esi
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   40                   | inc                 eax
            //   0fb6da               | movzx               ebx, dl
            //   f683216d400004       | test                byte ptr [ebx + 0x406d21], 4

        $sequence_4 = { 8bc8 8bd0 c1f905 83e21f 8b0c8d607e4000 f644d10401 }
            // n = 6, score = 100
            //   8bc8                 | mov                 ecx, eax
            //   8bd0                 | mov                 edx, eax
            //   c1f905               | sar                 ecx, 5
            //   83e21f               | and                 edx, 0x1f
            //   8b0c8d607e4000       | mov                 ecx, dword ptr [ecx*4 + 0x407e60]
            //   f644d10401           | test                byte ptr [ecx + edx*8 + 4], 1

        $sequence_5 = { 83f924 7718 c705????????0d000000 c3 8b04d5c4684000 a3???????? c3 }
            // n = 7, score = 100
            //   83f924               | cmp                 ecx, 0x24
            //   7718                 | ja                  0x1a
            //   c705????????0d000000     |     
            //   c3                   | ret                 
            //   8b04d5c4684000       | mov                 eax, dword ptr [edx*8 + 0x4068c4]
            //   a3????????           |                     
            //   c3                   | ret                 

        $sequence_6 = { 0fbe84c6b4504000 c1f804 83f807 8945d0 }
            // n = 4, score = 100
            //   0fbe84c6b4504000     | movsx               eax, byte ptr [esi + eax*8 + 0x4050b4]
            //   c1f804               | sar                 eax, 4
            //   83f807               | cmp                 eax, 7
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax

        $sequence_7 = { c1f805 83e61f 8b0485607e4000 8b04f0 83f8ff }
            // n = 5, score = 100
            //   c1f805               | sar                 eax, 5
            //   83e61f               | and                 esi, 0x1f
            //   8b0485607e4000       | mov                 eax, dword ptr [eax*4 + 0x407e60]
            //   8b04f0               | mov                 eax, dword ptr [eax + esi*8]
            //   83f8ff               | cmp                 eax, -1

        $sequence_8 = { 7d15 8d3449 2bd1 8d34b5d0614000 832600 83c60c }
            // n = 6, score = 100
            //   7d15                 | jge                 0x17
            //   8d3449               | lea                 esi, [ecx + ecx*2]
            //   2bd1                 | sub                 edx, ecx
            //   8d34b5d0614000       | lea                 esi, [esi*4 + 0x4061d0]
            //   832600               | and                 dword ptr [esi], 0
            //   83c60c               | add                 esi, 0xc

        $sequence_9 = { 00904840008a 46 0323 d18847034ec1 }
            // n = 4, score = 100
            //   00904840008a         | add                 byte ptr [eax - 0x75ffbfb8], dl
            //   46                   | inc                 esi
            //   0323                 | add                 esp, dword ptr [ebx]
            //   d18847034ec1         | ror                 dword ptr [eax - 0x3eb1fcb9], 1

    condition:
        7 of them and filesize < 65272
}
Download all Yara Rules