North Korean threat actors have exploited security flaws in ConnectWise ScreenConnect to deploy a new malware called TODDLERSHARK, which overlaps with known Kimsuky malware such as BabyShark and ReconShark. The threat actor gained access to victim workstations through the exposed setup wizard of the ScreenConnect application and executed the malware using cmd.exe.
The ConnectWise flaws (CVE-2024-1708 and CVE-2024-1709) have been heavily exploited by multiple threat actors to deliver various types of malware. Kimsuky, also known as APT43, has expanded its malware arsenal to include new tools like GoBear and Troll Stealer. TODDLERSHARK, the latest evolution of the malware, is engineered to capture and exfiltrate sensitive information about compromised hosts.
TODDLERSHARK exhibits polymorphic behavior, making it difficult to detect in some environments. In addition to using a scheduled task for persistence, the malware is designed to act as a valuable reconnaissance tool by capturing and exfiltrating sensitive information. The development comes as South Korea’s NIS accused North Korea of compromising the servers of two domestic semiconductor manufacturers and stealing valuable data through living-off-the-land techniques.
The digital intrusions on the semiconductor manufacturers occurred in December 2023 and February 2024, with North Korean threat actors targeting internet-exposed and vulnerable servers to gain initial access. The NIS suggested that North Korea may be preparing for its own semiconductor production due to difficulties in procuring semiconductors because of sanctions and increased demand for weapons development.
Overall, the exploitation of ConnectWise security flaws by North Korean threat actors to deploy TODDLERSHARK, a new variant of Kimsuky malware, highlights the ongoing cyber threats faced by organizations. The use of polymorphic behavior and living-off-the-land techniques by threat actors adds complexity to cybersecurity defense strategies, emphasizing the need for organizations to stay vigilant and adopt robust security measures to protect against such attacks.
Source link