Toddleshark

ToddleShark is a new variant of malware, believed to be an evolution of Kimsuky's BabyShark and ReconShark backdoors. It has been identified by Kroll's analysts as being used by the North Korean APT hacking group Kimsuky to target government organizations, research centers, universities, and think tanks across the United States, Europe, and Asia. The malware exploits ScreenConnect flaws, specifically CVE-2024-1708 and CVE-2024-1709, to infiltrate target systems. Blocklisting proves ineffective against ToddleShark due to the constant variation in the hash of the initial payload and URLs used for downloading additional stages of the malware. Once inside a system, ToddleShark uses legitimate Microsoft binaries to minimize its trace and modifies registry settings to lower security defenses. It establishes persistent access through scheduled tasks, which then initiates a phase of continual data theft and exfiltration. Among other functions, it gathers system information such as configuration details, installed security software, user sessions, network connections, and running processes. This information is encoded into Privacy Enhanced Mail (PEM) certificates and exfiltrated to the attacker's command and control (C2) infrastructure, a known Kimsuky tactic. ToddleShark stands out for its approach to anti-detection, building off previous Kimsuky malware but introducing significant advancements. Patching ScreenConnect applications is imperative to defend against this threat. Kroll has indicated that it will share specific details and indicators of compromise (IoCs) relating to ToddleShark in an upcoming blog post. As it stands, ToddleShark poses a significant threat due to its advanced methods of infiltration, persistence, data gathering, and evasion.