TODDLESHARK Malware Linked to Kimsuky APT

Recently, security vulnerabilities in ConnectWise ScreenConnect have been exploited by North Korean threat actors to introduce a new malware known as TODDLERSHARK. TODDLERSHARK shares similarities with known Kimsuky malware, including BabyShark and ReconShark.

According to security researchers the threat actors gained entry to the victim's workstation by taking advantage of the exposed setup wizard in the ScreenConnect application. Subsequently, they utilized their gained "hands-on keyboard" access to execute mshta.exe with a URL to the Visual Basic (VB) based malware using cmd.exe.

The specific ConnectWise flaws exploited are CVE-2024-1708 and CVE-2024-1709, which were revealed last month. These vulnerabilities have since been heavily exploited by various threat actors to distribute cryptocurrency miners, ransomware, remote access trojans, and stealer malware.

TODDLERSHARK Expands Kimsuky Toolkit

Kimsuky, also identified as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), KTA082, Nickel Kimball, and Velvet Chollima, has consistently expanded its malware toolkit, with GoBear and Troll Stealer being the latest additions.

BabyShark, initially detected in late 2018, is launched through an HTML Application (HTA) file. Once activated, the VB script malware extracts system information to a command-and-control (C2) server, maintains persistence on the system, and awaits further instructions from the operator.

In May 2023, a variant of BabyShark called ReconShark was observed targeting specific individuals through spear-phishing emails. TODDLERSHARK is considered the latest iteration of the same malware, exhibiting code and behavioral similarities.

Apart from utilizing a scheduled task for persistence, TODDLERSHARK is designed to capture and transmit sensitive information about compromised hosts, making it an effective reconnaissance tool. The researchers note that TODDLERSHARK displays elements of polymorphic behavior, such as changing identity strings in code, altering code positions through generated junk code, and using uniquely generated C2 URLs, potentially making detection challenging in certain environments.

By Zaib
March 7, 2024
Computer Security
English
March 7, 2024
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Malware

WhiskerSpy Backdoor Linked to APT

Researchers have identified a new backdoor that has been linked to the advanced persistent threat group Earth Kitsune, a group they have previously studied. Earth Kitsune has been distributing self-developed backdoors... Read more

February 20, 2023
Malware

MagicWeb Malware Used by NOBELIUM APT

Microsoft's Threat Intelligence Center published a report on a new piece of malware associated with a Russian-speaking advanced persistent threat actor known under the aliases APT29, Cozy Bear and, under Microsoft's... Read more

August 26, 2022
Malware

Gelsevirine Malware

The Gelsevirine Malware is a threatening implant, which is a private piece of malware part of the arsenal of the Gelsemium APT. In the past, criminals have been involved in large-scale attacks against various entities... Read more

June 10, 2021
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.