North Korean APT Group Kimsuky Exploits ScreenConnect Vulnerabilities to Deploy New ToddleShark Malware
March 4, 2024
The North Korean Advanced Persistent Threat (APT) group Kimsuky is exploiting vulnerabilities in ScreenConnect, specifically CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant named ToddleShark. Kimsuky, also known as Thallium and Velvet Chollima, is a state-sponsored hacking group from North Korea notorious for cyber espionage attacks against worldwide organizations and governments. The group is capitalizing on authentication bypass and remote code execution flaws disclosed on February 20, 2024, when ConnectWise urged ScreenConnect customers to promptly upgrade their servers to version 23.9.8 or later. Public exploits for these vulnerabilities were released the following day, and threat actors, including those behind ransomware, began exploiting them immediately.
According to an upcoming report by the cyber-intelligence team at Kroll, the newly discovered Kimsuky malware, which presents polymorphic characteristics, seems to be designed for extensive espionage and intelligence collection. ToddleShark leverages legitimate Microsoft binaries to reduce its footprint, modifies the registry to weaken security defenses, and gains persistent access through scheduled tasks. This is followed by a phase of continuous data theft and exfiltration. Kroll's analysts believe that ToddleShark is a new variant of Kimsuky's previous backdoors, BabyShark and ReconShark, which were observed targeting government organizations, research centers, universities, and think tanks across the US, Europe, and Asia.
The threat actors initially gain access to vulnerable ScreenConnect endpoints by exploiting the aforementioned vulnerabilities, which provide them with authentication bypass and code execution capabilities. Once they have established a foothold, Kimsuky uses legitimate Microsoft binaries, such as mshta.exe, to run malicious scripts like a heavily obfuscated VBS, thereby blending its activities with regular system processes. The malware then alters VBAWarnings keys in the Windows Registry to allow macros to run on various versions of Microsoft Word and Excel without triggering alerts. Scheduled tasks are created to maintain persistence by periodically (every minute) running the malicious code.
ToddleShark routinely collects system information from infected devices. Finally, ToddleShark encodes the collected information in Privacy Enhanced Mail (PEM) certificates, which are then exfiltrated to the attacker's command and control (C2) infrastructure, a sophisticated and recognized Kimsuky approach. One noteworthy feature of the new malware is its polymorphism, which enables it to often evade detection and makes analysis more difficult. ToddleShark achieves this through several methods. Firstly, it uses randomly generated functions and variable names in the heavily obfuscated VBScript used in the initial infection step, making static detection more challenging. Large quantities of hexadecimal encoded code mixed with junk code may cause the malware payload to appear benign or non-executable. Additionally, ToddleShark uses randomized strings and code positioning, which alters its structural pattern enough to render signature-based detection ineffective. Lastly, the URLs used for downloading additional stages are dynamically generated, and the hash of the initial payload fetched from the C2 is always unique, rendering standard blocklisting methods ineffective. Kroll will share specific details and indicators of compromise (IoCs) relating to ToddleShark via a blog post on its website in the near future.
Related News
- BlackCat Ransomware Gang Alleges Theft of 6TB Data from Change Healthcare
- FBI and CISA Alert Healthcare Sector of Targeted BlackCat Ransomware Attacks
- Black Basta and Bl00dy Ransomware Gangs Target Unpatched ScreenConnect Servers
- CISA Mandates Immediate Fix for ConnectWise ScreenConnect Vulnerability
- LockBit Ransomware Exploits ScreenConnect RCE Flaw: A Rising Threat
Latest News
- Critical Vulnerabilities in TeamCity Pose Threat to Software Supply Chain
- Critical Exploit for TeamCity Auth Bypass Bug Available: Immediate Patching Recommended
- Phobos Ransomware Targets U.S. Critical Infrastructure: Government Agencies Issue Warning
- North Korean Lazarus Group Exploited Windows Kernel Bug as Zero-Day for Six Months
- U.S. Judge Orders NSO Group to Disclose Pegasus Spyware Source Code to Meta
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.