A series of spear-phishing attacks using fake emails with malicious attachments attempts to deliver a new family of malware, which researchers at Palo Alto Networks have identified and dubbed BabyShark. The campaign started in November and remained active at least into the new year.
Among the known targets identified by researchers are an American university planning a conference around North Korea denuclearization and a research institute serving as a think tank around national security.
The phishing emails are designed to look as if they've been sent by a security expert working as a consultant to national security thinks across the US and come with subjects referencing North Korean nuclear issues, as well as wider security subjects.
As part of an intelligence-gathering campaign, the goal of the malware is to monitor the infected system and gather data.
Analysis of BabyShark reveals connections to other suspected North Korean hacking campaigns Stolen Pencil and KimJongRAT. BabyShark is signed with the same stolen code signing certificate used in the Stolen Pencil campaign, with the two forms of malware the only two known to use it.
Meanwhile, BabyShark and KimJongRAT use the same file path for storing collected information and those behind BabyShark appear to have tested samples of anti-virus detection alongside freshly compiled samples of KimJongRAT.
The decoy files used in an attempt to deliver KimJongRAT, which also follow a very similar theme to the ones used in the BabyShark campaign, all relate to North Korea, nuclear deterrence and conferences on Asian affairs.
All of that has led researchers to the conclusion that BabyShark is another North Korean hacking campaign — one which is attempting to keep a close eye on specially selected targets.
"Well-crafted spear phishing emails and decoys suggest that the threat actor is well aware of the targets, and also closely monitors related community events to gather the latest intelligence," researchers said. Full Story: https://www.zdnet.com/article/phishing-campaign-attempts-to-spread-a-new-brand-of-snooping-malware