The North Korea-linked cyber threat actor known as Kimsuky is leveraging recent vulnerabilities in ScreenConnect remote desktop servers to drop a new malware called ToddleShark. While cybercriminals were quick to leverage the vulnerabilities to install ransomware on compromised servers, Kimsuky’s new malware is specifically designed for long-term espionage and data exfiltration.
ToddleShark uses legitimate Microsoft binaries to avoid detection, can perform registry modifications to disable security controls and establish persistence through scheduled tasks. ToddleShark periodically gathers system information, encodes it, and then sends it to its command and control (C2) infrastructure.
A significant feature of ToddleShark is its use of polymorphism, which helps it avoid detection and makes the malware difficult to analyze. Kimsuky achieves this by using random functions and variable names in heavily obfuscated VBScripts, hexadecimal encoded code mixed with junk code, randomized strings and code positioning, and dynamically generated URLs.
Source: Bleeping Computer
Analysis
It’s unlikely that Kimsuky will limit the deployment of its advanced ToddleShark malware solely to vulnerable ScreenConnect servers but will rather deploy it more widely against other targets of interest leveraging different vulnerabilities to gain initial access. Kimsuky is a very capable cyber actor known to target government organizations, research centers, universities, and think tanks in the United States, Europe, and Asia.
Since the ScreenConnect vulnerabilities were announced, Field Effect has been working with our partners and clients to identify and contain the associated risks. Our telemetry has revealed multiple incidents where a small number of systems were compromised due to the exploitation of legacy unpatched (and likely forgotten) ScreenConnect instances installed by third-party contractors or external vendors in clients’ environments. These compromised ScreenConnect servers were used to download Remote Access Tools (RATs), such as CobaltStrike, and to execute ransomware payloads.
Mitigation
Covalence users have been automatically notified via the Covalence Portal if a vulnerable version of ScreenConnect was detected in their environment. Furthermore, Covalence users will be notified if any post-exploitation activity related to the ScreenConnect vulnerabilities is detected. Field Effect strongly encourages users of affected versions of ScreenConnect to install the latest security patch (version 23.9.10.8817) as soon as possible following ConnectWise’s instructions.
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for changes in the tactics, techniques, and procedures (TTPs) associated with state-sponsored cyber actors such as Kimsuky. Covalence is designed to detect and report events related to malware activity, regardless of whether the malware uses polymorphism.
For example, Covalence will automatically detect and report on registry modifications, scheduled task creation, data exfiltration, and other capabilities of ToddleShark malware. For more information on Covalence and polymorphic detection please refer to this blog post by Field Effect’s CEO, Matt Holland.
Related articles
