{"id":98358,"date":"2019-04-26T12:26:12","date_gmt":"2019-04-26T19:26:12","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=98358"},"modified":"2019-04-26T12:26:12","modified_gmt":"2019-04-26T19:26:12","slug":"babyshark-targets-cryptocurrency-industry","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2019\/04\/babyshark-targets-cryptocurrency-industry\/","title":{"rendered":"\u2018BabyShark\u2019 Targets Cryptocurrency Industry"},"content":{"rendered":"<p>Palo Alto Networks has discovered that the threat actor behind the BabyShark malware family has expanded its operations beyond conducting espionage to also targeting the cryptocurrency industry.<\/p>\n<p>The company\u2019s threat research team, Unit 42, discovered decoy documents related to xCryptoCrash, an online gambling game, that show the attackers are now also targeting the cryptocurrency industry.<\/p>\n<p>Unit 42 analyzed samples found on an attacker-controlled server, including the initial malware used to launch the attacks as well as two other files, KimJongRAT and PCRat, which BabyShark installs on victim machines. The malware authors internally referred to those two files as \u201ccowboys.\u201d<\/p>\n<p>In a\u00a0<a href=\"https:\/\/unit42.paloaltonetworks.com\/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat\/\">research report published on Friday<\/a>, Unit 42 analyst Mark Lim concludes that the BabyShark attacks are likely to continue and may expand to target additional industries.<\/p>\n<p>KimJongRAT appears to be used to steal\u00a0email credentials from Microsoft\u00a0Outlook\u00a0and Mozilla Thunderbird as well as login credentials for Google, Facebook and Yahoo accounts stored in widely used browsers. That data is then sent to the attackers\u2019 control server using other malware, such as BabyShark and PCRat.<\/p>\n<p><a href=\"https:\/\/unit42.paloaltonetworks.com\/new-babyshark-malware-targets-u-s-national-security-think-tanks\/\">Unit 42 first discovered BabyShark in February<\/a>\u00a0after analyzing the earliest known samples, which were used in November 2018 spear phishing attacks. Those emails were written to appear to have been sent by a nuclear security expert at a U.S. national security think tank.<\/p>\n<p>The emails had a subject line referencing North Korea\u2019s nuclear issues, and an attached Excel document contained the BabyShark malware.\u00a0The emails targeted the think tank where the nuclear expert works as well as\u00a0a U.S. university that was the venue for a conference on North Korea denuclearization.<\/p>\n<p>Unit 42 has shared technical data from its analysis, including indicators of compromise that defenders can use to protect against BabyShark, through the Cyber Threat Alliance and other organizations. Palo Alto Networks has taken steps to defend its customers from BabyShark by implementing protections into WildFire, Traps and other products.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Palo Alto Networks has discovered that the threat actor behind the BabyShark malware family has expanded its operations beyond conducting espionage to also targeting the cryptocurrency industry.<\/p>\n","protected":false},"author":133,"featured_media":72296,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6744],"tags":[6763,4728,662,6764],"coauthors":[1222],"class_list":["post-98358","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threat-research","tag-babyshark-malware-family","tag-cryptocurrency","tag-cyber-threat-alliance","tag-xcryptocrash"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2018\/04\/unit42-blog-600x300.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/98358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/133"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=98358"}],"version-history":[{"count":1,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/98358\/revisions"}],"predecessor-version":[{"id":98359,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/98358\/revisions\/98359"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/72296"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=98358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=98358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=98358"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=98358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}