March 4, 2024 at 05:44PM
North Korean APT group Kimsuky is exploiting ScreenConnect vulnerabilities CVE-2024-1708 and CVE-2024-1709 to distribute the new ToddleShark malware. This polymorphic variant aims for long-term espionage, using legitimate Microsoft tools and scheduled tasks for persistent access. Kroll’s upcoming report will share further details and indicators of compromise for ToddleShark.
From the meeting notes, it is clear that the North Korean APT hacking group Kimsuky has been exploiting vulnerabilities in ScreenConnect to infect targets with a new malware variant called ToddleShark. This new malware exhibits polymorphic traits and is designed for long-term espionage and intelligence gathering.
Kimsuky has been leveraging authentication bypass and remote code execution flaws in ScreenConnect, particularly targeting vulnerable endpoints. Once access is gained, the malware uses legitimate Microsoft binaries to minimize its trace, performs registry modifications to lower security defenses, and establishes persistent access through scheduled tasks. It then conducts continual data theft and exfiltration, encoding the gathered information in Privacy Enhanced Mail (PEM) certificates before sending it to the attacker’s command and control (C2) infrastructure.
The polymorphic nature of ToddleShark makes it challenging to detect and analyze. It achieves this through various techniques, including randomly generated functions and variable names, large amounts of hexadecimal encoded code interspersed with junk code, randomized strings and code positioning, and dynamically generated URLs for downloading additional stages.
Kroll will be sharing specific details and indicators of compromise (IoCs) relating to ToddleShark via a blog post on its website tomorrow.
These are the key takeaways from the meeting notes. Let me know if you need any further details or additional information.