Attackers behind BabyShark malware and cyber campaigns are now targeting the cryptocurrency industry.
Researchers at Palo Alto Networks Unit 42 have been tracking BabyShark malware activity since February, when attackers had been using spear phishing campaigns to target U.S. national think tanks.
Unit 42 recently observed BabyShark attackers have expanded their targets in the past couple of months to the cryptocurrency industry. Recent BabyShark campaign also targets nuclear security-related espionage and national security issues related to the Korean peninsula. The main objectives behind the attacks appear to be financial gain.
The observations were determined after Unit 42 analyzed server and client-side files and secondary payload files used to infect victim’s systems. For instance, the researchers discovered decoy contents used in the sample files, such as Xcryptocrash, which is an online cryptocurrency gambling game.
The attacks also used remote access trojans (RATs) to deliver malicious files onto victim systems.
“We found BabyShark attacks were using KimJongRAT and PCRat as the encoded secondary payload and thus were the ‘Cowboys’,” Mark Lim of Unit 42 said in recent research report.
Unit 42 team research also revealed how BabyShark uses a “multi-stage infection chain” used to advance only targeted hosts to each phase before the infected host communicates to the attackers command and control (C2) servers. BabyShark also uses VBS and PowerShell tools and remote commands against target hosts.
The researchers added there was also some evidence of a PHP sample exploiting a Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-8174) on the BabyShark C2 server. This could suggest a possible link of the vulnerability exploit to a stage one download of malicious HTA files via spear phishing or watering hole attack.