New BabyShark Malware Targets U.S. National Security Think Tanks

2019-02-22 • Paloalto Networks •

https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/

#BabyShark

Unit 42 described November 2018 spear-phishing against a U.S. university conference and a U.S. national security think tank using messages impersonating a nuclear security expert. The attached malicious Office documents launched BabyShark by running a remote HTA with mshta from tdalpacafarm[.]com. BabyShark is VBScript-based malware that changes Office macro-warning registry settings, collects host information, sends it to C2, establishes persistence, and waits for operator instructions. Unit 42 assessed that the activity shared infrastructure with North Korea-linked campaigns and overlapped with the STOLEN PENCIL cluster.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	94a09aff59c0c27d1049509032d5ba0…	2019-02-22	2024-03-30
HASH	1334c087390fb946c894c1863dfc9f0…	2019-02-22	2024-03-30
HASH	9d842c9c269345cd3b2a9ce7d338a03…	2019-02-22	2024-03-30
HASH	6f76a8e16908ba2d576cf0e8cdb7011…	2019-02-22	2024-03-30
HASH	dc425e93e83fe02da9c76b56f6fd286…	2019-02-22	2024-03-30
HASH	52b898adaaf2da71c5ad6b3dfd3ecf6…	2019-02-22	2024-03-30
HASH	66439f0e377bbe8cda3e516e801a86c…	2019-02-22	2024-03-30
HASH	331d17dbe4ee61d8f2c91d7e4af17fb…	2019-02-22	2024-03-30
HASH	2b6dc1a826a4d5d5de5a30b458e6ed9…	2019-02-22	2024-03-30
HASH	7b77112ac7cbb7193bcd891ce48ab2a…	2019-02-22	2024-03-30
HASH	8ef4bc09a9534910617834457114b92…	2019-02-22	2024-03-30
URL	https://tdalpacafarm.com/files/…	2019-02-22	2024-03-30
DOMAIN	tdalpacafarm.com	2019-02-22	2024-03-30
HASH	0c8f17b2130addebcb2ca75bd7a982e…	2019-02-22	2019-02-22
HASH	1ad53f5ff0a782fec3bce952035bc85…	2019-02-22	2019-02-22
HASH	b3e85c569e89b6d409841463acb3118…	2019-02-22	2019-02-22
HASH	c4547c917d8a9e027191d99239843d5…	2019-02-22	2019-02-22
URL	https://tdalpacafarm.com/files/…	2019-02-22	2019-02-22
URL	https://tdalpacafarm.com/files/…	2019-02-22	2019-02-22