BabyShark

Malware updated 6 months ago (2024-11-29T13:38:32.505Z)

Download STIX

Preview STIX

BabyShark is a malicious software (malware) that has been linked to the North Korean Advanced Persistent Threat (APT) group known as Kimsuky, also referred to as Thallium and Velvet Chollima. This malware, written in Microsoft Visual Basic script, was first identified in November 2018 and was used primarily for cyber espionage against U.S.-based think tanks. A new toolset infrastructure associated with BabyShark was discovered between 2019 and 2020, which overlapped with another Kimsuky malware called ReconShark. The latter component is considered a variant of BabyShark, both being part of Kimsuky's arsenal for executing attacks via PowerShell or the Windows Command Shell after gaining initial access. The Nocturnus team tracked down the infrastructure and found overlaps with BabyShark and connections to other malware such as AppleSeed backdoor. The timing of these activities aligns with previous campaigns by the Kimsuky group, including those involving BabyShark and ReconShark. Recently, a threat actor exploited a critical vulnerability in the ConnectWise ScreenConnect remote access tool to deploy a malware strain similar to BabyShark, further cementing the association with the Kimsuky group. A new variant of this malware, dubbed ToddlerShark, has been observed. Researchers at Kroll named it due to its resemblance to BabyShark, but noted important advancements in its capabilities. Hackers have exploited recently disclosed ScreenConnect vulnerabilities to deploy ToddlerShark, which shares similarities with the reconnaissance tools ReconShark and BabyShark used by Kimsuky. In recent campaigns, Kimsuky has leveraged custom backdoors like ReconShark and BabyShark against government organizations, research centers, think tanks, and universities across North America, Europe, and Asia.

Description last updated: 2024-05-17T09:15:36.216Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Reconshark is a possible alias for BabyShark. ReconShark is a new malware variant deployed by the North Korea-linked Advanced Persistent Threat (APT) group, Kimsuky. This tool has been observed in an ongoing campaign, used as an infostealer-downloader and is a new iteration of the group's custom BabyShark malware family. The ReconShark tool is	3
Toddleshark is a possible alias for BabyShark. ToddleShark is a new variant of malware, believed to be an evolution of Kimsuky's BabyShark and ReconShark backdoors. It has been identified by Kroll's analysts as being used by the North Korean APT hacking group Kimsuky to target government organizations, research centers, universities, and think t	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Windows

Phishing

Espionage

Tool

Screenconnect

Apt

Vulnerability

Backdoor

Reconnaissance

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Kimsuky Threat Actor is associated with BabyShark. Kimsuky is a threat actor group linked to North Korea, known for its malicious cyber activities with a particular focus on espionage. The group has been observed employing a variety of sophisticated tactics and techniques, including the use of malware such as TOGREASE, GREASE, and RandomQuery, which	Unspecified	5

Source Document References

Information about the BabyShark Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a year ago	North Korea-linked Kimsuky APT attack targets victims via Messenger
CERT-EU	a year ago	Multiple Vulnerabilities Found In ConnectWise ScreenConnect \| Zscaler
CERT-EU	a year ago	Cyber Security Week in Review: March 8, 2024
CERT-EU	a year ago	North Korea’s Kimsuky gang joins rush to exploit new ScreenConnect bugs
CERT-EU	a year ago	Cyber Security Today, March 6, 2024 – VMware and Apple rush out security updates, a new ScreenConnect malware is found, and more \| IT World Canada News
DARKReading	a year ago	North Korea Hits ScreenConnect Bugs to Drop 'ToddleShark' Malware
CERT-EU	a year ago	Critical ScreenConnect flaws exploited to deploy Babyshark malware variant
CERT-EU	a year ago	ScreenConnect flaws exploited to drop new ToddleShark malware
DARKReading	2 years ago	North Korea's Kimsuky Doubles Down on Remote Desktop Control
CERT-EU	2 years ago	Microsoft Warns of North Korean Attacks Exploiting JetBrains TeamCity Flaw
CSO Online	2 years ago	North Korean threat actor APT43 pivots back to strategic cyberespionage
CERT-EU	2 years ago	Kimsuky Strikes Again: New Campaign Targets Credentials and Intelligence
MITRE	2 years ago	North Korean Advanced Persistent Threat Focus: Kimsuky \| CISA
MITRE	2 years ago	Back to the Future: Inside the Kimsuky KGH Spyware Suite
MITRE	2 years ago	BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat
CERT-EU	2 years ago	Армия хакеров из Северной Кореи совершает масштабные кибератаки на госслужащих и политиков США и Южной Кореи
CERT-EU	2 years ago	North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations \| #cybercrime \| #infosec – National Cyber Security Consulting
CERT-EU	2 years ago	ReconShark – Kimsuky’s Newest Recon Tool
CERT-EU	2 years ago	N. Korean Kimsuky Hackers Using New Recon Tool ReconShark in Latest Cyberattacks
Securityaffairs	2 years ago	North Korea-linked Kimsuky APT uses new recon tool ReconShark