TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Targeted APT Activity: BABYSHARK Is Out for Blood | Huntress

2022-03-01 · Read original ↗

ATT&CK techniques detected

34 predictions
T1053.005Scheduled Task
99%
“then stop itself from executing on the system. this was particularly interesting to us. this attack was tailored to focus only on bob. if ( and only if ) the username matched bob, then it would add persistence mechanisms in the windows registry, stage new obfuscated files, and co…”
T1053.005Scheduled Task
97%
“security community. right of boom and backwards this story begins with our tried - and - true service : detecting persistence, or how hackers establish and maintain access to their victim. discovering persistence mechanisms keys us in that there was undeniably malicious threat ac…”
T1566.001Spearphishing Attachment
93%
“document itself is the most cookie - cutter, vanilla phish bait that one might see in generic and bland cybersecurity training. despite how often security professionals scream and shout about these barebone basics of security hygiene, still this can slip by and damage an organiza…”
T1059.001PowerShell
89%
“later discovered dev. vbs on bob ’ s machine which looks to kickstart the dev. ps1 file — also present with the same contents under the filename onenote. vbs. ) on a separate user ’ s machine ( we will call them charlie for the sake of storytelling ) we discovered the onenote. vb…”
T1204.002Malicious File
87%
“we were unable to retrieve the original file from the malicious hosting url. neither the faked voa _ korea. docx file or the dll were still present on the newfound beastmodser [. ] club domain … but it is at least known evil. other reports on babyshark malware have explained how …”
T1059.005Visual Basic
87%
“visibility. peeling back the layers with a better understanding of what we were looking at, we continued to dig through the qwert. vbs sample. from reading the code, we could see that this scheduled vbscript would download the contents of this google drive page on first execution…”
T1204.002Malicious File
84%
“markings. north korea ' s recent babyshark malware works with the fileless technique by downloading encrypted malicious scripts from google drive. malicious scripts distinguish between start and end with " johnbegin " and " johnend ". pic. twitter. com / 6inrjqeecs — issuemakersl…”
T1195.001Compromise Software Dependencies and Development Tools
82%
“monitoring, and hunting. all the threads of this story could not have unfolded without the data retention and logged information available to our team of analysts and investigators. whether the infecting malware stems from an unskilled actor, just grabbing code off the shelf, or …”
T1071.001Web Protocols
82%
“the observed apt activity is highly targeted against this organization and affiliated individuals. the target organization fits the category of " think tanks, " as alluded to in the very beginning of this post. additionally, this target ' s computer had a hostname referring to th…”
T1071Application Layer Protocol
82%
“present. this code is exactly in line with what we uncovered from the normal. crp, but it pulls from a different c2 domain ( worldinfocontact [. ] club rather than hodbeast [. ] com ). the distinction between these domains seemed to be that worldinfocontact [. ] club is their bea…”
T1566.001Spearphishing Attachment
81%
“we found earlier. the timestamps for this file placed our timeline starting on march 9, 2021. this helped us narrow down the timeframe from when the malicious document ( s ) may have been downloaded. the apt group is known to use spear phishing emails with malicious links embedde…”
T1204.002Malicious File
81%
“wall — the. doc file was password protected. this doubles as both a sneaky phishing tactic, but also to potentially hide malicious macros from antivirus software. it was at this point that we went from hunting to hacking and started trying to crack open the file. we do say our of…”
T1055.001Dynamic-link Library Injection
79%
“s host, we uncovered multiple other strange files. r. vbs seemed to kill the onedrive. exe process, wait three seconds, and remove a version. dll file present in the same directory as the onedrive executable. then, five seconds later, it runs the onedrive. exe process once more. …”
T1566.001Spearphishing Attachment
77%
“compromise. thinking back to the malicious vbscript, wasn ’ t the target bob, and not alex? the threat actor may have used a roundabout method to get the true victim … but it worked. alex forwarded the email to their co - workers for their approval and carbon - copied the other v…”
T1566.002Spearphishing Link
75%
“compromise. thinking back to the malicious vbscript, wasn ’ t the target bob, and not alex? the threat actor may have used a roundabout method to get the true victim … but it worked. alex forwarded the email to their co - workers for their approval and carbon - copied the other v…”
T1059.005Visual Basic
73%
“tasks, there was an occurrence of a script cf8c. vbs being run out of alex ' s temporary directory. wscript. exe c : \ users \ alex \ appdata \ local \ temp \ cf8c. vbs [ morevbscript ] this cf8c. vbs file was no longer present on the host, but considering it had practically the …”
T1059.005Visual Basic
71%
“. vbs would be executed every 61 minutes. this was also confirmed by looking at the data collected by process insights. process insights is the newest addition to the huntress managed security platform, offering greater visibility and telemetry on actions performed on an endpoint…”
T1566.001Spearphishing Attachment
66%
“if they could find the original email. here we showcase a fascinating back - and - forth with some cunning deception and a well - played scheme. the threat actor reaches out to alex under the guise of collecting info for the voa, masquerading as a real voa author ( that author li…”
T1574.001DLL
65%
“user and convince them of the phish : ( http [ : ] / / beastmodser. club / sil / 0304 / voa _ korea [. ] docx ) - checks for the presence of antivirus products like bitdefender or norton security, and quits if present - disables microsoft word macro protections in registry - down…”
T1053.005Scheduled Task
64%
“we can decode the base64 text to obtain a dll file. loading the dll in pestudio reveals a pdb path that leaves nothing to the imagination : " h : \ hollow \ googledrive _ rat _ load _ complete \ rat _ load \ release \ rat _ load. pdb " it ' s worth noting that this file cannot be…”
T1566.001Spearphishing Attachment
58%
“user and convince them of the phish : ( http [ : ] / / beastmodser. club / sil / 0304 / voa _ korea [. ] docx ) - checks for the presence of antivirus products like bitdefender or norton security, and quits if present - disables microsoft word macro protections in registry - down…”
T1566.002Spearphishing Link
57%
“if they could find the original email. here we showcase a fascinating back - and - forth with some cunning deception and a well - played scheme. the threat actor reaches out to alex under the guise of collecting info for the voa, masquerading as a real voa author ( that author li…”
T1204.002Malicious File
52%
“files were scanned and when. using the logs across all three hosts, we uncovered only a handful of files that were present on each host. the most interesting file that stuck out to us was voa _ korea. zip. from the logs, we could tell it had a. doc file inside of it, and this see…”
T1055.001Dynamic-link Library Injection
52%
“we can decode the base64 text to obtain a dll file. loading the dll in pestudio reveals a pdb path that leaves nothing to the imagination : " h : \ hollow \ googledrive _ rat _ load _ complete \ rat _ load \ release \ rat _ load. pdb " it ' s worth noting that this file cannot be…”
T1041Exfiltration Over C2 Channel
52%
“| format - list path - cmd. exe / c whoami - cmd. exe / c net user - tasklist the ttmp1. log file is then base64 encoded with certutil - f - encode to be saved as ttmp. log and then uploaded to https [ : ] / / hodbeast. com / silver / upload [. ] php with a post request. this dat…”
T1059.001PowerShell
49%
“procedure from the c2 ( when no other commands were pending ) to ensure whatever dll hijacking they set up would continue to execute, even if the onedrive process was stopped. we will revisit the alleged dll hijacking technique in our analysis of other artifacts soon. this deobfu…”
T1059.001PowerShell
49%
“tasks, there was an occurrence of a script cf8c. vbs being run out of alex ' s temporary directory. wscript. exe c : \ users \ alex \ appdata \ local \ temp \ cf8c. vbs [ morevbscript ] this cf8c. vbs file was no longer present on the host, but considering it had practically the …”
T1055.001Dynamic-link Library Injection
43%
“procedure from the c2 ( when no other commands were pending ) to ensure whatever dll hijacking they set up would continue to execute, even if the onedrive process was stopped. we will revisit the alleged dll hijacking technique in our analysis of other artifacts soon. this deobfu…”
T1566.001Spearphishing Attachment
38%
“wall — the. doc file was password protected. this doubles as both a sneaky phishing tactic, but also to potentially hide malicious macros from antivirus software. it was at this point that we went from hunting to hacking and started trying to crack open the file. we do say our of…”
T1059.007JavaScript
38%
“tasks, there was an occurrence of a script cf8c. vbs being run out of alex ' s temporary directory. wscript. exe c : \ users \ alex \ appdata \ local \ temp \ cf8c. vbs [ morevbscript ] this cf8c. vbs file was no longer present on the host, but considering it had practically the …”
T1566.002Spearphishing Link
36%
“targeted apt activity : babyshark is out for blood | huntress tl ; dr : this blog follows the threatops investigation of targeted dprk ( north korean ) backed cyber espionage efforts against nuclear think tanks. it details the threat hunt from beginning to end, including how our …”
T1059.001PowerShell
34%
“, false ) unfortunately we were unable to find the version. dll file on alex ' s host or any other affected machines. considering the file placement, this looks to be a known dll hijacking technique to run additional code. considering this script removes the version. dll file, on…”
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
33%
“| format - list path - cmd. exe / c whoami - cmd. exe / c net user - tasklist the ttmp1. log file is then base64 encoded with certutil - f - encode to be saved as ttmp. log and then uploaded to https [ : ] / / hodbeast. com / silver / upload [. ] php with a post request. this dat…”
T1204.002Malicious File
32%
“user and convince them of the phish : ( http [ : ] / / beastmodser. club / sil / 0304 / voa _ korea [. ] docx ) - checks for the presence of antivirus products like bitdefender or norton security, and quits if present - disables microsoft word macro protections in registry - down…”

Summary

We discovered malicious, targeted advanced persistent threat (APT) activity on a partner's system. Here, we dive into the BABYSHARK malware strain.