The North Korean hacking group Kimsuky, known for cyber espionage, has been exploiting vulnerabilities in ScreenConnect to disseminate a new malware variant named ToddleShark. These vulnerabilities, particularly CVE-2024-1708 and CVE-2024-1709, enable authentication bypass and remote code execution, providing Kimsuky with a gateway to infiltrate target systems. ToddleShark exhibits polymorphic traits and is designed for long-term espionage, utilizing legitimate Microsoft binaries to evade detection and establish persistent access through scheduled tasks.
Kimsuky’s tactics involve leveraging public exploits released shortly after the vulnerabilities were disclosed by ConnectWise, prompting immediate server upgrades. The ToddleShark malware, which shares characteristics with previous Kimsuky backdoors, targets a range of organizations, including government entities, research centers, and universities across continents. To evade detection, ToddleShark employs sophisticated techniques such as randomized functions and variable names in its heavily obfuscated VBScript, rendering static detection challenging.
Moreover, ToddleShark dynamically generates URLs for downloading additional stages and ensures the uniqueness of the payload hash fetched from the command and control (C2) server, thwarting standard blocklisting methods. Kroll’s upcoming report suggests that ToddleShark’s polymorphic nature, coupled with its evasion tactics, poses significant challenges for traditional signature-based detection systems. Specific details and indicators of compromise (IoCs) related to ToddleShark will be disclosed by Kroll in an upcoming blog post, further aiding in its detection and mitigation efforts.
