Potential Baby Shark Malware Activity
Detects activity that could be related to Baby Shark malware
Sigma rule (View on GitHub)
1title: Potential Baby Shark Malware Activity
2id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
3status: test
4description: Detects activity that could be related to Baby Shark malware
5references:
6 - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
7author: Florian Roth (Nextron Systems)
8date: 2019/02/24
9modified: 2023/03/08
10tags:
11 - attack.execution
12 - attack.defense_evasion
13 - attack.discovery
14 - attack.t1012
15 - attack.t1059.003
16 - attack.t1059.001
17 - attack.t1218.005
18 - detection.emerging_threats
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 - CommandLine|contains|all:
25 - 'powershell.exe mshta.exe http'
26 - '.hta'
27 - CommandLine|contains:
28 - 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"'
29 - 'cmd.exe /c taskkill /im cmd.exe'
30 - "(New-Object System.Net.WebClient).UploadFile('http"
31 condition: selection
32falsepositives:
33 - Unknown
34level: high
References
-
In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing “BabyShark”.
Read More
Related rules
- Operation Wocao Activity
- Operation Wocao Activity - Security
- Sofacy Trojan Loader Activity
- Potential Bumblebee Remote Thread Creation
- HackTool - CrackMapExec Execution