Our email inboxes have not been safe for years now, but we continue to get tricked into opening misleading messages sent by schemers and cybercriminals. Some of them are set up to trick us into disclosing personal information. Others are employed to scam us out of our money. Finally, we have those spam emails that are created to expose us to malicious infections. This method has been employed by the attackers behind the malicious BabyShark, a Trojan that silently collects and leaks sensitive information after execution. If this dangerous threat is discovered, it must be removed as soon as possible, but even if you delete BabyShark, a great deal of damage could have been done already.
If you discover BabyShark, it is most likely that you are part of a government agency or a nuclear security-related agency. You could also work for a university, a large manufacturing company, or any other big entity. The creators of the malicious BabyShark Trojan are unlikely to come after Windows users that do not have information that could be used in larger attacks. The Trojan was first detected at the end of 2018, and that time it impersonated a nuclear security consultant who was reaching out to a university and a research institute with information about the upcoming conference on North Korea nuclear problems. Such a conference was hosted in real life, and so the victims could have expected an email from the said consultant. Of course, cybercriminals were using his name to execute malware.
The misleading email message contained a document attachment, and to open it, macros had to be enabled. If the victim was tricked into enabling macros, the Visual Basic (VB) script-based infection was executed without the victim’s knowledge. Immediately, BabyShark created an entry in the Registry (HKCU\Software\Microsoft\Command Processor\AutoRun) to ensure that it could run automatically. It also created a file named “ttmp.log” (the name could change) in %APPDATA%\Microsoft\. This file acted as a container for all of the collected information. After recording it, BabyShark would send it to a C&C server for the remote attackers to access and exploit it in any way necessary. Unfortunately, because the infection is likely to be targeted at organizations and companies that keep sensitive information, it could end up leaking it to malicious parties, who might include state enemies, terrorists, or hackers, who make money by selling such important information.
So, if you have discovered BabyShark, the first thing you need to do is contact your security team within the company because they need to get down to the root of the issue. The security system protecting your computers could have a flaw, or your operating system could be outdated. Also, if you have been exposed to a malicious phishing email, there is a good chance that your colleagues could be exposed to the same email too, and they need to be warned. In any case, your security team will know the best way to proceed. The most important thing is that you do not waste any time to report the issue because the reputation and overall security of your organization or company could be on the line.
Whether you are part of a large company, whose security you need to protect, or you are an individual Windows user, you need to be exceptionally careful about the emails you receive. While most spam emails are clearly unreliable and misleading, some of them can trick you into opening links and files that can lead to the execution of malware. Ransomware, keyloggers, miners, Trojans – such as BabyShark – and other kinds of dangerous threats could access your operating system this way, and so you need to be cautious. If you have not ordered anything, you do not have pending events, or you have not planned any trips, do not be fooled by emails that ask for shipment or reservation confirmations. Also, make sure that macros is disabled by default, so that malware could not be executed without your input.
0 Comments.