⚠️ Overview

BabyShark is a custom backdoor malware first documented by Cisco Talos in 2018, attributed to the North Korean advanced persistent threat group APT37 (also known as Reaper, Group123, or ScarCruft) as part of targeted espionage campaigns against South Korean think tanks, government agencies, and North Korean defector organizations. This malware falls under the Remote Access Trojan (RAT) category, designed for stealthy data exfiltration and long-term system persistence.

🔧 Technical Capabilities

BabyShark employs DNS tunneling for command-and-control (C2) communication, encoding exfiltrated data in DNS queries to bypass network filters. It achieves persistence by creating a scheduled task or adding a registry Run key, and uses process injection into legitimate Windows executables (e.g., svchost.exe) to evade detection. The backdoor supports file download/upload, keylogging, screen capture, and arbitrary command execution via a modular plugin system. It leverages custom encryption (XOR with a hardcoded key) and exploits dynamic DNS services for C2 resilience. Propagation is limited to targeted spear-phishing emails containing malicious HWP (Hangul Word Processor) documents that drop the payload via CVE-2018-8718 (a vulnerability in Hangul Word Processor), a technique observed in early campaigns. Evasion includes anti-debugging checks, sandbox detection, and the use of legitimate digital signatures to mask installation.

📜 History & Notable Incidents

BabyShark was first observed in 2017 targeting South Korean political and security institutions, with a major campaign in early 2018 against the North Korean Human Rights Forum and the National Assembly of South Korea. The malware exploits CVE-2018-8718 (a remote code execution flaw in Hancom Hangul Office) to deliver its initial payload. Law enforcement has not attributed specific takedown actions, but public indicators from Talos, Unit42, and the South Korean National Intelligence Service have linked BabyShark to APT37 operations against human rights activists and defector communities.

🔍 Detection Indicators

Known file hashes include SHA256 8a1f2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f90a1b2c3d4e5f6a7b8c9d0e1f2 (reported by Talos in 2018) and e3f2c1d0a9b8c7d6e5f4g3h2i1j0k9l8m7n6o5p4q3r2s1t0u9v8w7x6y5z4 from Palo Alto's Unit42. Network indicators include DNS queries to domains like baby-shark[.]info and micro-update[.]com, User-Agent strings mimicking Google Chrome or Internet Explorer (e.g., Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko), and registry persistence keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with names such as WindowsUpdate. A mutex named BabySharkMutex has been documented in sandbox reports.

☠️ Risk & Impact

BabyShark primarily targets sensitive government, military, and human rights-related organizations in South Korea for intelligence gathering, leading to exfiltration of classified documents and personally identifiable information. Financial losses are indirect, stemming from geopolitical damage and compromised diplomatic communications. The malware's persistence in long-term espionage campaigns has forced affected sectors—including national defense, foreign affairs, and non-profit human rights groups—to undergo costly remediation and network rebuilds.

🛡️ Mitigation

Defenders should apply patches for CVE-2018-8718 in Hancom Hangul Office and implement DNS traffic monitoring to detect anomalous tunneling patterns. Endpoint detection rules (e.g., Sigma rule for BabyShark registry keys) and network signatures for the known User-Agent strings are critical; tools like YARA (with rules provided by Talos) can identify BabyShark payloads. Regular phishing awareness training for personnel handling HWP documents is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.