North Korea: Earlier this year, a malware dubbed BabyShark was found to be targeting information valuable to North Korea owned by U.S. think tanks. There is now a second wave of BabyShark which has been uncovered. This second wave has been found to be utilized for espionage activities against nuclear security and national security issues on the Korean peninsula, as well as financial gain with a focus on cryptocurrency. In these attacks, BabyShark is utilizing KimJongRAT and PCRat as secondary payloads. These secondary payloads are delivered through three loaders, one EXE, one DLL, and one encoded payload. PCRat is a remote code administration trojan which has been openly available for some time now. The KimJongRAT version being utilized is similar to previous variants although it does exhibit some changes. This new variant added a substitution cypher which obfuscates API strings. A PHP sample was discovered on a C2 sever utilized for BabyShark that exploited CVE-2018-8174, which is a Windows VBScriptEngine Remote Code Execution vulnerability. With the shift in relations in recent months between North Korea and the west, it is not surprising that they would be looking to gather further information which could be valuable to their own national security interests as well as seeking out further funding to aid their government. North Korea has found great success in financial theft, especially in that of cryptocurrency from far eastern markets
Analyst Notes
It is unlikely that we will see a change to this any time soon as long as relations between North Korea and the rest of the world remain shaky.
