March 08, 2022

Targeted BABYSHARK Attack on Think Tank

Industry: Think Tank | Level: Tactical | Source: Huntress

A report from Huntress, identified threat activity targeting security think tanks attributed to North Korean threat actors malware strain BABYSHARK. The initial sign of malicious activity was identified from a fraudulent GoogleUpdater scheduled task that runs a malicious vbs file using wscript to download a file hosted on Google Drive. The attack was heavily targeted to this organization as a system check was done by file normal.crp to only execute if the username was “Administrator” or a particular user. The following is noted by Huntress (the mentioned user “Bob” is fictitious to maintain anonymity) “This attack was tailored to focus only on Bob. If (and only if) the username matched Bob, then it would add persistence mechanisms in the Windows registry, stage new obfuscated files, and continue communications with its C2 servers.” Further investigation identified the origin of the attack as a malicious phishing email with a malicious link.

  • Anvilogic Use Cases:
    • Create/Modify Schtasks
    • Suspicious Registry Key Created
    • Wscript/Cscript Execution