North Korean threat actors have taken advantage of the recently exposed vulnerabilities in ConnectWise ScreenConnect to deploy a new malware known as TODDLERSHARK.
As per a report from Kroll shared with The Hacker News, TODDLERSHARK shares similarities with known Kimsuky malware like BabyShark and ReconShark.
“The threat actor managed to access the victim’s workstation by exploiting the vulnerable setup wizard of the ScreenConnect application,” explained security researchers Keith Wojcieszek, George Glass, and Dave Truman.
“Subsequently, they used cmd.exe to execute mshta.exe with a URL pointing to the Visual Basic (VB) based malware.”
The specific flaws in ConnectWise, namely CVE-2024-1708 and CVE-2024-1709, were disclosed last month and have since been exploited by various threat actors to distribute different types of malware like cryptocurrency miners, ransomware, remote access trojans, and stealers.
Kimsuky, also known by aliases such as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, KTA082, Nickel Kimball, and Velvet Chollima, has been expanding its arsenal of malware with new tools, with the latest additions being GoBear and Troll Stealer.
BabyShark, initially discovered in late 2018, is deployed using an HTML Application (HTA) file. Once executed, the VB script malware steals system information and connects to a command-and-control (C2) server to await further commands from the operator.
In May 2023, a variant of BabyShark called ReconShark was observed being distributed to targeted individuals via spear-phishing emails. TODDLERSHARK is believed to be the latest iteration of the same malware, showcasing similarities in code and behavior.
Aside from utilizing a scheduled task for persistence, TODDLERSHARK is designed to gather and transmit sensitive information from compromised hosts, serving as a valuable reconnaissance tool.
Researchers highlighted the polymorphic nature of TODDLERSHARK, which includes changing identity strings in code, altering code position with generated junk code, and using uniquely generated C2 URLs to potentially evade detection in certain environments.
These developments coincide with South Korea’s National Intelligence Service (NIS) accusing North Korea of infiltrating the servers of two local semiconductor manufacturers in December 2023 and February 2024. The threat actors targeted vulnerable servers to gain initial access, employing living-off-the-land (LotL) techniques instead of dropping traditional malware to avoid detection.
NIS stated that North Korea may be preparing for its semiconductor production due to challenges in acquiring semiconductors from sanctions and increased demand for weapons development like satellite missiles.
