TODDLERSHARK Malware Detection: Hackers Weaponize CVE-2024-1708 and CVE-2024-1709 Vulnerabilities to Deploy a New BABYSHARK Variant

A new malware iteration dubbed TODDLERSHARK comes into the spotlight in the cyber threat arena, which bears a striking similarity with BABYSHARK or ReconShark malicious strains leveraged by the North Korean APT group known as Kimsuky APT. The infection chain is triggered by weaponizing a couple of critical ConnectWise ScreenConnect vulnerabilities tracked as CVE-2024-1708 and CVE-2024-1709 that have been massively exploited by adversaries.2

Detect TODDLERSHARK Malware Variants

Around 5,4 billion malware attacks were spotted in 2022. With their number and sophistication continuously escalating, security professionals are seeking advanced solutions to boost threat detection and hunting efficiency. SOC Prine Platform for collective cyber defense aggregates the world´s largest feed of behavior-based detection algorithms coupled with cutting-edge tools to bring the organization’s cyber defense to the next level.

To identify possible malicious activity linked to the novel TODDLERSHARK strain leveraged by Kimsuky APT, cyber defenders can rely on the extensive detection stack provided by SOC Prime. Just hit the Explore Detections button below and drill down to the relevant detection algorithms compatible with 28 SIEM, EDR, XDR, and Data Lake solutions and mapped to MITRE ATT&CK v14.1. All the rules are accompanied by detailed metadata, including CTI references, attack timelines, triage recommendations, and more.

Explore Detections

To streamline threat investigation and obtain additional context, security experts might search SOC Prime for more relevant rules using “Kimsuky”, “CVE-2024-1708,” “CVE-2024-1709,” and “BABYSHARK” tags.

TODDLERSHARK Malware Analysis: What’s Behind a Novel BABYSHARK Iteration

The Kroll researchers recently noticed an adversary campaign employing a novel malware that bears striking resemblance to BABYSHARK, which is known to have been leveraged by the nefarious North Korean Kimsuky APT group (aka APT43, STOLEN PENCIL, Thallium, Black Banshee, or Velvet Chollima).

Kimsuky has long been observed experimenting with diverse malicious strains to enrich its offensive toolkit. Since 2013, the hacking collective has been causing a stir in the cyber threat arena with South Korea being its primary target. In January 2022, Kimsuky employed open-source RATs and a custom Gold Dragon backdoor to infiltrate South Korean organizations and facilitate data exfiltration.

In February 2024, the North Korean hackers leveraged a new Golang-based information stealer known as Troll Stealer, alongside GoBear malware variants in targeted attacks against South Korea.

In the recently observed campaign, the malicious activity started by abusing newly patched authentication bypass flaws in the ConnectWide ScreenConnect software tracked as CVE-2024-1708 (with the highest possible CVSS score reaching 10) and CVE-2024-1709 (with the CVSS score of 8.4). In the ongoing malicious operation potentially linked to Kimsuky, ​​CVE-2024-1709 is leveraged for initial access, expanding the list of hackers who take advantage of the critical ConnectWide ScreenConnect flaws. Both vulnerabilities have been under large-scale exploitation by multiple hacking groups since their emergence in the cyber threat landscape in February 2024. When chained together, CVE-2024-1709 and CVE-2024-1708 enable adversaries to perform RCE after authentication. 

BABYSHARK malware first came to the scene in late 2018 deployed through an HTA file. Upon execution, the VB script malware collects system data and sends it to a C2 server. In late spring, another BabyShark iteration dubbed ReconShark emerged, spread via targeted spear-phishing emails.TODDLERSHARK is considered to be the most recent iteration of this malware due to the code resemblance and the similar behavior patterns. 

The primary focus of the malware capabilities centers on the system information-stealing component. Apart from applying a scheduled task to maintain persistence, the malware acts as a reconnaissance tool capable of exfiltrating sensitive information from compromised devices. The stolen information involves details on the host, user, network, and security software data, along with data on installed software and running processes. After gathering this data, it is encoded and sent to the C2 web application for exfiltration.

TODDLERSHARK employs the legitimate Microsoft binary, MSHTA, and displays polymorphic behavior by altering identity strings within the code, shifting code positions, and applying uniquely generated C2 URLs. 

To remediate the risks of TODDLERSHARK infection, defenders are strongly recommended to upgrade their ScreenConnect software to the 23.9.8 version or later where the reported vulnerabilities have been addressed. 

With the increasing risks of cyber attacks weaponizing known vulnerabilities accompanied by the exponential rise in multiple APT campaigns leveraging new malware variants, implementing a proactive threat detection strategy is imperative. Leveraging Attack Detective, finding APT attacks and timely identifying CVEs is getting faster, easier, and more efficient. Rely on the system that ensures comprehensive visibility of your attack surface and delivers behavior-based detection algorithms or IOCs tailored to your security solution in use without moving your data, backed by ATT&CK acting as a central correlation algorithm.