Kimsuky, a North Korean APT hacker group, is infecting targets with a new malware variant dubbed ToddlerShark by exploiting ScreenConnect flaws, particularly CVE- 2024- 1708 and CVE- 2024- 1709.
A North Korean state-sponsored hacking group known for cyber espionage attacks on businesses and governments around the world, Kimsuky ( also known as Thallium and Velvet Chollima ).
The threat actors are utilizing remote code execution and authentication bypass flaws that were discovered on February 20, 2024 when ConnectWise advised ScreenConnect users to immediately upgrade their servers to version 23. 9.8 or later.
The following day, public exploits of the two flaws were released, and hackers, including ransomware actors, began using them in real attacks.
The new Kimsuky malware, which exhibits polymorphic characteristics, appears to have been created for long-term espionage and intelligence gathering, according to a report released by Kroll’s cyber-intelligence team and BleepingComputer.
ToddlerShark  creates persistent access through scheduled tasks, which are followed by a period of ongoing data theft and exfiltration, uses legitimate Microsoft binaries to reduce its trace, and modifies registry to lower security defenses.
details about ToddleShark
ToddlerShark, according to Kroll’s analysts, is a new subset of Kimsuky’s BabyShark and ReconShark backdoors that were previously seen and targeted government agencies, research centers, universities, and think tanks in America, Europe, and Asia.
By utilizing the vulnerabilities, which give them the ability to bypass authentication and execute code, the hackers first gain access to vulnerable ScreenConnect endpoints.
Kimsuky uses legitimate Microsoft binaries, such as mshta, after gaining traction. executes malicious scripts like a heavily obfuscated VBS, blending its actions with regular system operations.
Next, the malware modifies the Windows Registry’s VBAWarnings keys to make it possible for macros to run without triggering notifications on various Microsoft Word and Excel versions.
By periodically ( every minute ) running the malicious code, scheduled tasks are created to establish persistence.
ToddleShark regularly collects system data from infected devices, including the following:
- Hostname
- Details of the system configuration
- User accounts
- User sessions that are active
- Network setups
- installed security software
- Currently active network connections.
- Running processes are enumerated in detail
- by parsing standard installation paths and the Windows Start Menu, list installed software.
An advanced and well-known Kimsuky tactic is used by ToddlerShark to encrypt the collected data in Privacy Enhanced Mail ( PEM) certificates that are then sent to the attacker’s command and control ( C2 ) infrastructure.
malware that is polymorphic
Polymorphism, a distinguishable trait of the new malware, makes it more difficult to analyze and avoid detection in many cases. ToddleShark uses a variety of methods to accomplish this.
First, it makes static detection more difficult by using randomly generated functions and variable names in the heavily obfuscated VBScript used in the initial infection step. The malware payload may appear benign or un executable if large amounts of hexadecimal encoded code are interspersed with junk code.
ToddlerShark also employs randomized strings and [functional ] code positioning, which alter its structural pattern so severely that signature-based detection is ineffective against it.
Standard blocklisting techniques are rendered useless because the URLs used to download additional stages are dynamically generated and the initial payload’s hash is always unique.
Kroll will post specifics and ( compromise ) guidelines in a blog post tomorrow on its website.
Update 3/5: ToddlerShark malware name changed