Palo Alto Networks has discovered that the threat actor behind the BabyShark malware family has expanded its operations beyond conducting espionage to also targeting the cryptocurrency industry.
The company’s threat research team, Unit 42, discovered decoy documents related to xCryptoCrash, an online gambling game, that show the attackers are now also targeting the cryptocurrency industry.
Unit 42 analyzed samples found on an attacker-controlled server, including the initial malware used to launch the attacks as well as two other files, KimJongRAT and PCRat, which BabyShark installs on victim machines. The malware authors internally referred to those two files as “cowboys.”
In a research report published on Friday, Unit 42 analyst Mark Lim concludes that the BabyShark attacks are likely to continue and may expand to target additional industries.
KimJongRAT appears to be used to steal email credentials from Microsoft Outlook and Mozilla Thunderbird as well as login credentials for Google, Facebook and Yahoo accounts stored in widely used browsers. That data is then sent to the attackers’ control server using other malware, such as BabyShark and PCRat.
Unit 42 first discovered BabyShark in February after analyzing the earliest known samples, which were used in November 2018 spear phishing attacks. Those emails were written to appear to have been sent by a nuclear security expert at a U.S. national security think tank.
The emails had a subject line referencing North Korea’s nuclear issues, and an attached Excel document contained the BabyShark malware. The emails targeted the think tank where the nuclear expert works as well as a U.S. university that was the venue for a conference on North Korea denuclearization.
Unit 42 has shared technical data from its analysis, including indicators of compromise that defenders can use to protect against BabyShark, through the Cyber Threat Alliance and other organizations. Palo Alto Networks has taken steps to defend its customers from BabyShark by implementing protections into WildFire, Traps and other products.