North Korea Hits ScreenConnect Bugs to Drop 'ToddleShark' Malware

North Korean hackers are using a critical vulnerability in ConnectWise's ScreenConnect software to spread new, shapeshifting espionage malware.

Two weeks ago, ConnectWise revealed two flaws in its popular remote desktop application: CVE-2024-1708, a path traversal bug given a "high" score of 8.4 out of 10 on the CVSS scale, and CVE-2024-1709, a rare "critical" 10 out of 10 authentication bypass bug. With hardly a moment to spare, cyberattackers pounced — most notably, initial access brokers (IABs) in cahoots with ransomware groups — with thousands of organizations in the firing line scrambling to patch.

Kimsuky (aka APT43), the advanced persistent threat (APT) from the Democratic People's Republic of Korea (DPRK), is getting in on the action, too. According to a new blog post from Kroll, it's exploiting vulnerable versions of ScreenConnect to deploy a new backdoor called "ToddleShark."

"The list of threat actors utilizing the ScreenConnect vulnerability CVE-2024-1709 for initial access is growing," according to Kroll. "Patching ScreenConnect applications is therefore imperative."

ToddleShark builds off of previous Kimsuky malware but stands out for its approach to anti-detection.

North Korea Exploits ScreenConnect

In recent espionage campaigns, Kimsuky has deployed various custom backdoors, including ReconShark and BabyShark, against government organizations, research centers, think tanks, and universities in North America, Europe, and Asia.

ToddleShark, the weapon of choice this time around, is notably similar to BabyShark, but it has certain important advancements.

Among other functions, ToddleShark gathers system information, including configuration details, what security software is installed on the device, and lists of user sessions, network connections, running processes, and more.

It then sends that information back to attacker-controlled command-and-control (C2) servers via cryptographically protected Privacy-Enhanced Mail (PEM) certificates.

"The malware being deployed in this case uses execution through a legitimate Microsoft binary, MSHTA, and exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position of code via generated junk code and using uniquely generated C2 URLs, which could make this malware hard to detect in some environments," Kroll researchers said in their post, released today.

How ToddleShark Uses Randomness for Evasion

ToddleShark stands out most, though, for how it uses random generation algorithms to dodge detection. For example, it uses random names for variables and functions to stump static detection, and randomizes its strings and the ordering of code to confuse standard signature-based detection.

Interspersed with its regular malicious code are large chunks of junk code, and hexadecimal encoded code, making the final outcome look like a bit of a mess.

Blocklisting doesn't really work against ToddleShark, either, because the hash of the initial payload and URLs used to download additional stages of the malware are always different.

The fact that detecting this backdoor is so tricky only emphasizes the need for organizations to update, if they haven't already. A patch and other resources for ConnectWise customers are available on the vendor's website.

A ConnectWise spokesperson laid out the timeline:

"On February 13th, an independent researcher submitted a potential ScreenConnect vulnerability through our voluntary disclosure process," the person says. "Once validated, ConnectWise mitigated all cloud instances of ScreenConnect within 48 hours. On February 19th, we released a patch for all on-prem ScreenConnect customers, posted a security bulletin on the ConnectWise Trust Center, and sent patching instructions to ScreenConnect customers."

ConnectWise noted that customers should immediately patch on-prem instances of ScreenConnect.

"At this time, ConnectWise and other cybersecurity firms have seen exploits of the ScreenConnect vulnerability on unpatched on-prem instances," the spokesperson says. "However, cyberattacks can occur through numerous avenues, including vulnerabilities, phishing, and business email compromise. While usually used for IT service delivery and product support, attackers can misuse remote control tools to facilitate malicious activities."