{ "type": "URL", "indicator": "https://tdalpacafarm.com/files/kr/contents/upload.php'", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://tdalpacafarm.com/files/kr/contents/upload.php'", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3658656637, "indicator": "https://tdalpacafarm.com/files/kr/contents/upload.php'", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "645ce53eab950ee17812f8b4", "name": "Kimsuky Malware Observed in Latest Campaign Updated With New Recon Component", "description": "On 04 May 2023, SentinelOne reported that they identified an ongoing campaign from Kimsuky, a North Korean state-sponsored APT group, that modified its reconnaissance component, called RECONSHARK by SentinelOne, of the BABYSHARK malware. Kimusky weaponized BABYSHARK with the updated reconnaissance component in a macro-enabled Word document hosted on OneDrive, delivering spear-phishing emails with the OneDrive link. RECONSHARK can deploy further payloads and sends the information collected to the command and control server via HTTP POST requests as string variables. A previous Palo Alto's Unit 42 analysis of BABYSHARK reported that the first stage used mshta.exe to load and execute an HTA file from the C2 server. BABYSHARK then registers two scripts as scheduled tasks and a registry key to maintain persistence. The scheduled task launches cmd.exe, and the registry key value runs mshta.exe to execute an HTA file hosted on a C2 server.", "modified": "2023-05-11T13:21:23.687000", "created": "2023-05-11T12:53:18.093000", "tags": [ "threatactor/kimsuky", "dw-osint-cib", "malware/babyshark" ], "references": [ "https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BabyShark", "display_name": "BabyShark", "target": null }, { "id": "ReconShark", "display_name": "ReconShark", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [ "Professional, Scientific, and Technical Services", "Educational Services", "Public Administration" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 17, "domain": 6, "hostname": 41, "FileHash-MD5": 15, "FileHash-SHA256": 15, "URL": 3 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "1118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642e8ec2beaeabc41abaab02", "name": "New BabyShark Malware Targets U.S. National Security Think Tanks", "description": "A North Korean threat actor is believed to be targeting a US national security think tank, according to researchers at Palo Alto Networks, who identified a new family of malware called \"BabyShark\u2019s\".", "modified": "2023-04-06T09:20:02.166000", "created": "2023-04-06T09:20:02.166000", "tags": [ "babyshark", "kimjongrat", "stolen pencil", "november", "palo alto", "north korea", "northeast asia", "c2 server", "appdata", "decoy filename", "date", "alliance", "february", "shell", "wildfire" ], "references": [ "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Democratic People's Republic of", "United States of America" ], "malware_families": [ { "id": "STOLEN PENCIL", "display_name": "STOLEN PENCIL", "target": null }, { "id": "KimJongRAT", "display_name": "KimJongRAT", "target": null }, { "id": "BabyShark", "display_name": "BabyShark", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 3, "domain": 1 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Kimsuky" ], "malware_families": [ "Stolen pencil", "Reconshark", "Babyshark", "Kimjongrat" ], "industries": [ "Educational services", "Professional, scientific, and technical services", "Public administration" ], "unique_indicators": 97 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/tdalpacafarm.com", "whois": "http://whois.domaintools.com/tdalpacafarm.com", "domain": "tdalpacafarm.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "645ce53eab950ee17812f8b4", "name": "Kimsuky Malware Observed in Latest Campaign Updated With New Recon Component", "description": "On 04 May 2023, SentinelOne reported that they identified an ongoing campaign from Kimsuky, a North Korean state-sponsored APT group, that modified its reconnaissance component, called RECONSHARK by SentinelOne, of the BABYSHARK malware. Kimusky weaponized BABYSHARK with the updated reconnaissance component in a macro-enabled Word document hosted on OneDrive, delivering spear-phishing emails with the OneDrive link. RECONSHARK can deploy further payloads and sends the information collected to the command and control server via HTTP POST requests as string variables. A previous Palo Alto's Unit 42 analysis of BABYSHARK reported that the first stage used mshta.exe to load and execute an HTA file from the C2 server. BABYSHARK then registers two scripts as scheduled tasks and a registry key to maintain persistence. The scheduled task launches cmd.exe, and the registry key value runs mshta.exe to execute an HTA file hosted on a C2 server.", "modified": "2023-05-11T13:21:23.687000", "created": "2023-05-11T12:53:18.093000", "tags": [ "threatactor/kimsuky", "dw-osint-cib", "malware/babyshark" ], "references": [ "https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BabyShark", "display_name": "BabyShark", "target": null }, { "id": "ReconShark", "display_name": "ReconShark", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [ "Professional, Scientific, and Technical Services", "Educational Services", "Public Administration" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 17, "domain": 6, "hostname": 41, "FileHash-MD5": 15, "FileHash-SHA256": 15, "URL": 3 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "1118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642e8ec2beaeabc41abaab02", "name": "New BabyShark Malware Targets U.S. National Security Think Tanks", "description": "A North Korean threat actor is believed to be targeting a US national security think tank, according to researchers at Palo Alto Networks, who identified a new family of malware called \"BabyShark\u2019s\".", "modified": "2023-04-06T09:20:02.166000", "created": "2023-04-06T09:20:02.166000", "tags": [ "babyshark", "kimjongrat", "stolen pencil", "november", "palo alto", "north korea", "northeast asia", "c2 server", "appdata", "decoy filename", "date", "alliance", "february", "shell", "wildfire" ], "references": [ "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Democratic People's Republic of", "United States of America" ], "malware_families": [ { "id": "STOLEN PENCIL", "display_name": "STOLEN PENCIL", "target": null }, { "id": "KimJongRAT", "display_name": "KimJongRAT", "target": null }, { "id": "BabyShark", "display_name": "BabyShark", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 3, "domain": 1 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1153 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://tdalpacafarm.com/files/kr/contents/upload.php'", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://tdalpacafarm.com/files/kr/contents/upload.php'", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780448530.5607166 }