Toddlershark

ToddlerShark is a new variant of malware that has been linked to the North Korean threat group Kimsuky, also known as APT43, Emerald Sleet, and Velvet Chollima. The malware was named ToddlerShark by researchers at Kroll due to its resemblance to BabyShark, another malware used by the same hacking group. This new strain exploits recently disclosed vulnerabilities in ScreenConnect applications, which have also been targeted by other threat groups using different types of malware such as Play and LockBit ransomware. The primary function of ToddlerShark is data theft; it collects host, user, network, and security software information, along with details about installed software and running processes. After gathering this data, ToddlerShark uses the built-in Windows command certutil to encode the stolen information in a Privacy Enhanced Mail (PEM) certificate, which is then exfiltrated to the Command and Control (C2) web application. The malware exhibits polymorphic behavior, changing identity strings in code and generating junk code to alter the position of the code, making it difficult to detect in some environments. Kroll's research team identified an attempted compromise exhibiting Kimsuky’s hallmarks, which was detected and stopped by the Kroll Responder team. The post-exploitation phase of this attack included the deployment of the ToddlerShark malware, leveraging a second vulnerability in ScreenConnect applications. Given these findings, patching ScreenConnect applications is imperative to prevent further exploitation by ToddlerShark or other similar malware strains.