Hackers are exploiting recently disclosed ScreenConnect vulnerabilities to deploy a new variant of a malware strain previously linked to North Korean threat group Kimsuky.
The new malware, dubbed ToddlerShark by researchers at Kroll, overlaps with ReconShark and BabyShark, reconnaissance tools used by Kimsuky (also known as APT43, Emerald Sleet, and Velvet Chollima).
ConnectWise disclosed two vulnerabilities and released a security fix for its ScreenConnect remote desktop and access software last month. One of the vulnerabilities, an authentication bypass flaw tracked as CVE-2024-1709, was assigned a maximum severity CVSS v3 score of 10.
Since the bugs came to light, they have been exploited by several threat groups, including actors using Play, LockBit and other ransomware.
ToddlerShark plays hide and seek
In a March 5 analysis, Kroll researchers Keith Wojcieszek, George Glass and Dave Truman said an attempted compromise exhibiting Kimsuky’s hallmarks was detected and stopped by the Kroll Responder team.
“The threat actor gained access to the victim workstation by exploiting the exposed setup wizard of the ScreenConnect application. They then leveraged their now ‘hands on keyboard’ access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB) based malware.”
The ToddlerShark malware deployed in the attack “exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position of code via generated junk code and using uniquely generate C2 URLs, which could make this malware hard to detect in some environments,” the researchers said.
“Patching ScreenConnect applications is therefore imperative.”
Kimsuky sharpens its infostealer skills
ToddlerShark’s information-stealing capabilities enabled it to pilfer data, including host, user, network and security software information, along with installed software and running processes.
“Once the tool has gathered all this information, it uses the inbuilt Windows command certutil to encode the stolen information in a Privacy Enhanced Mail (PEM) certificate, which it then exfiltrates to the C2 web application,” the Kroll researchers said.
“The use of exfiltrating data hidden inside PEM files is a technique Kimsuky has used before.”
In its analysis, Kroll recommended several actions ScreenConnect customers should take to protect their systems against attacks from Kimsuky and other threat groups exploiting the new vulnerabilities.
All those running ScreenConnect version 23.9.7 or earlier should assume they had been compromised and patch immediately, following the guidance in ConnectWise’s advisory.
As well as patching, Kroll recommended affected users undergo an independent threat hunt/compromise assessment on their systems to ensure suspicious activity did not occur, and that malware was not inserted, prior to remediation.
The researchers also recommended the use of an endpoint detection and response (EDR) solution or next-generation antivirus (NGAV) tool configured to conduct system scans for webshells, along with the implementation of a web application firewall (WAF) or other web traffic monitoring system to analyze for potential exploitation.
