BabyShark
BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. [1]
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.[1] |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
BabyShark has encoded data using certutil before exfiltration.[1] |
Enterprise | T1083 | File and Directory Discovery |
BabyShark has used |
|
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
BabyShark has cleaned up all files associated with the secondary payload execution.[2] |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.[2] |
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1012 | Query Registry |
BabyShark has executed the |
|
Enterprise | T1082 | System Information Discovery | ||
Enterprise | T1016 | System Network Configuration Discovery | ||
Enterprise | T1033 | System Owner/User Discovery |