What is the BabyShark Malware?


Click to download Outbyte AVarmor, a progressive anti-malware software, optimized for Windows 10 and 11. Enhance your PC's security with our special offer. For details, refer to About Outbyte AVarmor and Uninstall Instructions. Review our End User License Agreement (EULA) and Privacy Policy for more information.

The BabyShark malware is a relatively new malware strain that is associated with state actors from North Korea. It was first identified on February 2019 by Palo Alto Networks Unit 42 researchers.

The reason that the cybersecurity researchers were able to pinpoint its origin is because it is distributed using spear phishing techniques that are associated with North Korea. In this particular case, the spear phishing emails were crafted in such a way that they appeared to come from a leading US-based nuclear expert. The emails contained the name of the expert and topics relating to the hot button issue of North Korean nuclear missile program.

Another pointer to North Korean hacking groups is the fact that the malware uses the same infiltration techniques as the KimJongRAT and STOLEN PENCIL malware strains, both of which are associated with the Hermit Kingdom.

What Does the BabyShark Malware Do?

The first stage of infection by the BabyShark malware involves the execution of a Microsoft Visual Basic script that is contained in a malicious MS Excel file.

The VB script enables a series of macro codes for both MS Word and Excel that adds registry keys, and issues commands to find user information, system information, system name, IP address, running tasks and their versions.

The foraged information is then sent to a command and control server (C&C), but not before it’s encrypted by the BabyShark malware using an executable file that is called certutil.exe. After sending this initial information, the malware entity then sits idly waiting for commands from the C&C.

It is believed that the main goal of the threat actors behind the malware entity is intelligence gathering on related to Northeast Asia’s national security issues.

How to Remove the BabyShark Malware

Although the BabyShark malware is distributed via MS Word and Excel files, it is itself a fileless malware. That is to say that it doesn’t reside in any specific folder as it is simply a code that can run as many times as needed.

This makes it a very hard target for most anti-malware software, except those with a focus on behavior monitoring, application containment, and endpoint hardening. That is why we recommend Outbyte Anti-Malware as it is known to employ these techniques and more.

The anti-malware will perform a deep cleanse on your system and remove any malware entities, but you will have to run your Windows or Mac device on Safe Mode with Networking as that way, the malware entity will not have the chance to interfere with autostart items.

After the anti-malware has done its work, you should deploy a PC repair tool to clean the contaminated downloads and temp folders where the virus probably resides.

The PC repair tool will also repair any damages to the registry entry files.

After you have successfully removed the malware entity, you now need to take measures that will ensure that you never get infected again.

Protect Your System from the BabyShark Malware

The best way to protect your computer from the BabyShark malware is to take care and not be caught up in spear phishing campaigns of the kind that North Korea prefer to use. Sure, the emails and their attachments can be very tempting, but you’ve got to understand that they appear that way for a reason.

Plus, you always have the option to double check whether or not the emails are authentic. In the case of the BabyShark malware, what are the chances that a renowned nuclear expert from the US would share North Korea-related files in an email shared with random people. See? It is that easy.

Finally, you should have a powerful anti-malware tool on your computer at all times. Use it to scan your device as often as you can.

Give us some love and rate our post!
[Total: 0 Average: 0]
Notify of
Inline Feedbacks
View all comments