BabyShark

Malware updated 7 months ago (2024-11-29T13:38:32.505Z)
Download STIX
Preview STIX
BabyShark is a malicious software (malware) that has been linked to the North Korean Advanced Persistent Threat (APT) group known as Kimsuky, also referred to as Thallium and Velvet Chollima. This malware, written in Microsoft Visual Basic script, was first identified in November 2018 and was used primarily for cyber espionage against U.S.-based think tanks. A new toolset infrastructure associated with BabyShark was discovered between 2019 and 2020, which overlapped with another Kimsuky malware called ReconShark. The latter component is considered a variant of BabyShark, both being part of Kimsuky's arsenal for executing attacks via PowerShell or the Windows Command Shell after gaining initial access. The Nocturnus team tracked down the infrastructure and found overlaps with BabyShark and connections to other malware such as AppleSeed backdoor. The timing of these activities aligns with previous campaigns by the Kimsuky group, including those involving BabyShark and ReconShark. Recently, a threat actor exploited a critical vulnerability in the ConnectWise ScreenConnect remote access tool to deploy a malware strain similar to BabyShark, further cementing the association with the Kimsuky group. A new variant of this malware, dubbed ToddlerShark, has been observed. Researchers at Kroll named it due to its resemblance to BabyShark, but noted important advancements in its capabilities. Hackers have exploited recently disclosed ScreenConnect vulnerabilities to deploy ToddlerShark, which shares similarities with the reconnaissance tools ReconShark and BabyShark used by Kimsuky. In recent campaigns, Kimsuky has leveraged custom backdoors like ReconShark and BabyShark against government organizations, research centers, think tanks, and universities across North America, Europe, and Asia.
Description last updated: 2024-05-17T09:15:36.216Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Reconshark is a possible alias for BabyShark. ReconShark is a new malware variant deployed by the North Korea-linked Advanced Persistent Threat (APT) group, Kimsuky. This tool has been observed in an ongoing campaign, used as an infostealer-downloader and is a new iteration of the group's custom BabyShark malware family. The ReconShark tool is
3
Toddleshark is a possible alias for BabyShark. ToddleShark is a new variant of malware, believed to be an evolution of Kimsuky's BabyShark and ReconShark backdoors. It has been identified by Kroll's analysts as being used by the North Korean APT hacking group Kimsuky to target government organizations, research centers, universities, and think t
2
Pcrat is a possible alias for BabyShark. PCrat is a notorious remote administration trojan, with its source code openly accessible on the public internet. This malware, along with KimJongRAT, has been identified as part of malicious cyber attacks. In our analysis, we found that these two malwares were used as the encoded secondary payload
2
Kimjongrat is a possible alias for BabyShark. KimJongRAT is a potent form of malware, malicious software designed to infiltrate and damage computer systems, often without the user's knowledge. It primarily functions as an information stealer, extracting sensitive data such as email credentials from Microsoft Outlook and Mozilla Thunderbird, and
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Windows
Phishing
Reconnaissance
Espionage
Tool
Screenconnect
Apt
Vulnerability
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Kimsuky Threat Actor is associated with BabyShark. Kimsuky is a threat actor group linked to North Korea, known for its malicious cyber activities with a particular focus on espionage. The group has been observed employing a variety of sophisticated tactics and techniques, including the use of malware such as TOGREASE, GREASE, and RandomQuery, whichUnspecified
5
Source Document References
Information about the BabyShark Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
13 days ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
2 years ago
CERT-EU
2 years ago
CSO Online
2 years ago
CERT-EU
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago