North Korean threat actors have used the newly found security holes in ConnectWise ScreenConnect to spread a new piece of malware called TODDLERSHARK.
A report from Kroll that was given to The Hacker News says that TODDLERSHARK is similar to other known Kimsuky malware like BabyShark and ReconShark.
Security experts Keith Wojcieszek, George Glass, and Dave Truman said, “The threat actor got into the victim workstation by taking advantage of the setup wizard of the ScreenConnect application being left open.”
“They then leveraged their now ‘hands on keyboard’ access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB) based malware.”
The ConnectWise flaws in question are CVE-2024-1708 and CVE-2024-1709. They were discovered last month and have since been heavily used by many threat actors to spread cryptocurrency miners, ransomware, remote access trojans, and stealer malware.
Kimsuky, which is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), KTA082, Nickel Kimball, and Velvet Chollima, has slowly added new malware tools to its collection. The most recent additions are GoBear and Troll Stealer.
An HTML Application (HTA) file is used to start BabyShark, which was first found in late 2018. When it is run, the VB script malware sends information about the system to a command-and-control (C2) computer, stays on the system, and waits for further instructions from the operator.
After that, in May 2023, a variation of BabyShark called ReconShark was seen being sent to specific people through spear-phishing emails. Based on similarities in code and behavior, TODDLERSHARK is thought to be the most recent version of the same malware.
The malware uses a scheduled task to stay active and is also designed to collect and send private information about the hosts that it has infected, making it a useful tool for reconnaissance.
The adware “exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position of code via generated junk code, and using uniquely generate C2 URLs, which could make this malware hard to detect in some environments,” said the researchers.
This happened after South Korea’s National Intelligence Service (NIS) said that its northern equivalent had broken into the servers of two domestic semiconductor manufacturers and stolen important data.
Between December 2023 and February 2024, the hacks happened. Threat actors are said to have chosen servers that were open to the internet and easy to hack in order to get initial access. They then used living-off-the-land (LotL) methods instead of dropping malware to avoid being caught.
“North Korea may have begun preparations for its own production of semiconductors due to difficulties in procuring semiconductors due to sanctions against North Korea and increased demand due to the development of weapons such as satellite missiles,” said NIS.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.