Potential Baby Shark Malware Activity

calendar Aug 12, 2024 · attack.execution attack.defense-evasion attack.discovery attack.t1012 attack.t1059.003 attack.t1059.001 attack.t1218.005 detection.emerging-threats  ·
Share on: linkedin copy

Detects activity that could be related to Baby Shark malware

Sigma rule (View on GitHub)

 1title: Potential Baby Shark Malware Activity
 2id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
 3status: test
 4description: Detects activity that could be related to Baby Shark malware
 5references:
 6    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
 7author: Florian Roth (Nextron Systems)
 8date: 2019-02-24
 9modified: 2023-03-08
10tags:
11    - attack.execution
12    - attack.defense-evasion
13    - attack.discovery
14    - attack.t1012
15    - attack.t1059.003
16    - attack.t1059.001
17    - attack.t1218.005
18    - detection.emerging-threats
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        - CommandLine|contains|all:
25              - 'powershell.exe mshta.exe http'
26              - '.hta'
27        - CommandLine|contains:
28              - 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"'
29              - 'cmd.exe /c taskkill /im cmd.exe'
30              - "(New-Object System.Net.WebClient).UploadFile('http"
31    condition: selection
32falsepositives:
33    - Unknown
34level: high

References

  • New BabyShark Malware Targets U.S. National Security Think Tanks

    In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing “BabyShark”.


    Read More

Related rules

to-top