BabyShark is another Trojan that is targeted not at regular home users, but a particular country’s organizations. This time it looks like the threat is after the United States intelligence facilities. As you can probably guess, the malicious application has capabilities that may allow it to steal sensitive information. The ones who may end up collecting it are the malware creators, who remain to be unknown. Further, in this report, we discuss how the threat could enter a system, what it ought to do after it settles in, and how to erase it. Usually, it is advisable to deal with such vicious Trojans while using reliable security tools and with the help of the targeted organization's technicians. In other words, if you get tricked into launching this threat, trying to delete BabyShark on your own could be a bad idea.
Like many other Trojans, BabyShark appears to be spreading through phishing emails. To be more precise, our researchers say that the malware’s developers might be using spear-phishing attacks. Spear phishing is often employed to gain access to systems of various institutions. Thus, its victims are usually employees of some company and not regular home users. Emails sent during such attacks might seem to come from a trustworthy person, for example, a fellow college of the recipient or someone else he might know. According to some researchers, some BabyShark spear-phishing emails were sent to nuclear security experts, and their subject lines said the emails were about North Korea’s nuclear issues. Unfortunately, if a victim takes the bait and opens attached documents to view them, these files ought to install the Trojan on a system.
Also, it is known that the hackers behind BabyShark tried to attack at least two of the United States organizations. One of them was a university that had a conference about North Korea denuclearization issue during the spear-phishing attacks. Another targeted institution was the country’s research facility for national security issues. It looks like the primary goal of the hackers behind these attacks was to collect sensitive information since it was noticed that after its installation, BabyShark starts gathering data. The malware was programmed to save recorded data on a .log file, which is supposed to be sent to the cybercriminals’ server. However, it is possible the Trojan could do more as it looks like it awaits for further commands after it finishes gathering and sending collected information to its developers. Usually, such threats can also spy on their victims, interfere with their work, damage data on an infected machine, spread to other devices, etc.
Another thing the malware’s victims ought to know is that BabyShark can restart with the operating system. Meaning, even though turning off an infected machine could kill its process, turning on your computer again might relaunch the Trojan too. That is because the threat may create Registry entry in the HKCU\Software\Microsoft\Command Processor\AutoRun directory. Our researchers say that the malicious application’s value name could be titled “powershell.exe mshta” or similarly. Needless to say, to minimize the damage, an organization could receive after getting their system infected with BabyShark, it is vital to eliminate the malicious application as soon as possible. Ideally, before it manages to obtain any sensitive information