North Korea Nuclear Issues Exploited by BabyShark Trojan

BabyShark is a dangerous Trojan infection, and its cutesy name definitely does not reflect its true nature. If it invades an operating system, it can gather information and relay it back to the cybercriminals who created the threat. It appears that the attackers behind this malware have very specific targets, and so regular Windows users are unlikely to face it. However, those working for governments, large companies, universities, and organizations in any way linked to nuclear security could be exposed to this malware. When the infection was first discovered, it was exploiting North Korea nuclear issues to trick targets and push them into letting it in. Unfortunately, it has been proven to be successful, and no one can stop the attackers from performing new attacks. Even those who remove BabyShark could end up facing it again.

It appears that the attackers behind BabyShark are relying heavily upon email correspondence to spread this dangerous Trojan. For this purpose, the attackers create a fictitious email message and send it to specific email addresses. It appears that the attackers know very well who they are attacking, and that has helped them create extremely personalized and believable spear-phishing attacks. In one instance, cybercriminals created an email account with the name of a real person working in the nuclear security sector. This email was then sent to universities and research institutes, whose employees were familiar with this person. This spear-phishing attack was deliberately targeted at those who were associated with a conference held to discuss North Korea denuclearization matters.

Since the sender of the corrupted email looked legitimate, the targets of BabyShark were more likely to open a corrupted file attached to the message. This file attachment can come in various formats (e.g., .doc, .xls, .pdf, .exe, .scr, .ps1, or .vbs), but it is most likely to be a document file. Once the attachment is clicked, the recipient is asked to enable macros, which is a red flag. If macros is enabled by default, the victim is not alarmed at all. By enabling macros, the victim allows for the malicious BabyShark to be executed silently. To distract the victim and to ensure that they do not suspect a thing, a document with some kind of information is presented. In the meantime, after execution, the Trojan starts collecting data about the user, the computer, and the operating system. All of this data is stored in a .LOG file named “ttmp.log” that is stored in %APPDATA%\Microsoft\. This file is silently sent to a remote C&C server, where the attackers can analyze the recorded data. To ensure that the infection collects all information, an autorun registry value is added to HKCU\Software\Microsoft\Command Processor\AutoRun.

Although it is unlikely that BabyShark can affect regular Windows users directly, if it invades systems that contain information that pertains to these regular users, they could be affected indirectly. Also, if cyber attackers leak information about governments and organizations that handle sensitive data, effects could reach far and wide. For example, if nuclear security-related information is leaked to terrorists, large communities could feel the impacts of attacks performed using that information. Overall, BabyShark should not be underestimated. While the infection was discovered when it attacked institutions in the United States, using the problems of North Korea, any country could go on the target next.

As for the removal of BabyShark, it appears that the .LOG file and the value created in the Windows Registry are the only components that must be deleted, and anyone can handle that. Unfortunately, other threats could exist on the infected machine already because, clearly, they lack overall protection. Therefore, even if systems can be cleared from malware manually, our recommendation is to install anti-malware software that could both delete infections and secure the system. Virtual security teams of the targeted organizations must be informed so that they could take appropriate action. This could include overhauling the implemented security systems, educating employees, and creating new tools to fight off malware and defend vulnerable institutions against cybercrime.