New Malware BabyShark Attempts to Infect Users at US Think Tanks and Academic Institutions

Since November 2018, suspected North Korean threat actors have targeted US national security think tanks and academic institutions with spear-phishing emails containing malicious attachments meant to deliver a new malware dubbed “BabyShark.” These emails appear as though they are sent from a nuclear security expert and contain subjects related to North Korean nuclear issues and other security concerns. The attached document asks the user to enable macros, which will then allow the malicious BabyShark Microsoft Visual Basic (VB) script to run. The purpose of the malware is to monitor infected systems and collect data. The NJCCIC highly discourages users from enabling macros in documents that come in unexpected or unsolicited emails; recommends exercising caution when choosing to enable macros in documents that come with emails from known senders; and keeping anti-virus/anti-malware, hardware, and software up-to-date. More information is detailed in the Unit 42 post.