Kroll has revealed details of a new Kimsuky cyberattack using ScreenConnect.
Kroll specialists told BleepingComputer that the North Korean hacker group Kimsuky exploits ScreenConnect vulnerabilities to distribute a new version of the ToddleShark malware.
The attacks exploit the following weaknesses:
These vulnerabilities were made public on February 20, and the very next day public exploits appeared on the network, which led to a large-scale use of bugs in cyber attacks, including those involving ransomware.
According to Kroll, the Todleshark malware has polymorphic characteristics and is designed for long-term intelligence and information collection. Todleshark uses legitimate Microsoft binaries to minimize its traces, modifies the registry to reduce security, and creates permanent access to infected systems through scheduled tasks, after which the phase of continuous data theft and exfiltration begins.
Kroll analysts believe that ToddleShark is a new variant of the previously known Kimsuky malware – BabyShark and ReconShark, which were previously used in attacks on government organizations, research centers, universities, and think tanks in the United States, Europe, and Asia.
The virus collects information from infected devices, including:
Then, ToddleShark encodes the collected information into PEM certificates and transmits it to the attackers Command and Control servers (Command and Control, C2).
One of the key features of Todleshark is its polymorphism, which avoids detection by using randomly generated functions and variable names, as well as dynamically changing URLs to load additional stages of malware.
It is expected that Kroll will share details and indicators of compromise (Indicator of Compromise, IoC) Toddlers will be available on their website in the coming days.
Kroll specialists told BleepingComputer that the North Korean hacker group Kimsuky exploits ScreenConnect vulnerabilities to distribute a new version of the ToddleShark malware.
The attacks exploit the following weaknesses:
- path traversal vulnerability CVE-2024-1708 (CVSS score: 8.4), leading to Remote Code Execution (RCE).
- Authentication bypass vulnerability CVE-2024-1709 (CVSS score: 10.0), which provides an attacker with direct access to sensitive information or critical systems.
These vulnerabilities were made public on February 20, and the very next day public exploits appeared on the network, which led to a large-scale use of bugs in cyber attacks, including those involving ransomware.
According to Kroll, the Todleshark malware has polymorphic characteristics and is designed for long-term intelligence and information collection. Todleshark uses legitimate Microsoft binaries to minimize its traces, modifies the registry to reduce security, and creates permanent access to infected systems through scheduled tasks, after which the phase of continuous data theft and exfiltration begins.
Kroll analysts believe that ToddleShark is a new variant of the previously known Kimsuky malware – BabyShark and ReconShark, which were previously used in attacks on government organizations, research centers, universities, and think tanks in the United States, Europe, and Asia.
The virus collects information from infected devices, including:
- host names;
- system configuration;
- user accounts;
- active sessions;
- network settings;
- installed security software;
- current network connections;
- list of running processes;
- list of installed software.
Then, ToddleShark encodes the collected information into PEM certificates and transmits it to the attackers Command and Control servers (Command and Control, C2).
One of the key features of Todleshark is its polymorphism, which avoids detection by using randomly generated functions and variable names, as well as dynamically changing URLs to load additional stages of malware.
It is expected that Kroll will share details and indicators of compromise (Indicator of Compromise, IoC) Toddlers will be available on their website in the coming days.
