Toddleshark

Malware updated 4 months ago (2024-05-04T20:16:37.391Z)

Download STIX

Preview STIX

ToddleShark is a new variant of malware, believed to be an evolution of Kimsuky's BabyShark and ReconShark backdoors. It has been identified by Kroll's analysts as being used by the North Korean APT hacking group Kimsuky to target government organizations, research centers, universities, and think tanks across the United States, Europe, and Asia. The malware exploits ScreenConnect flaws, specifically CVE-2024-1708 and CVE-2024-1709, to infiltrate target systems. Blocklisting proves ineffective against ToddleShark due to the constant variation in the hash of the initial payload and URLs used for downloading additional stages of the malware. Once inside a system, ToddleShark uses legitimate Microsoft binaries to minimize its trace and modifies registry settings to lower security defenses. It establishes persistent access through scheduled tasks, which then initiates a phase of continual data theft and exfiltration. Among other functions, it gathers system information such as configuration details, installed security software, user sessions, network connections, and running processes. This information is encoded into Privacy Enhanced Mail (PEM) certificates and exfiltrated to the attacker's command and control (C2) infrastructure, a known Kimsuky tactic. ToddleShark stands out for its approach to anti-detection, building off previous Kimsuky malware but introducing significant advancements. Patching ScreenConnect applications is imperative to defend against this threat. Kroll has indicated that it will share specific details and indicators of compromise (IoCs) relating to ToddleShark in an upcoming blog post. As it stands, ToddleShark poses a significant threat due to its advanced methods of infiltration, persistence, data gathering, and evasion.

Description last updated: 2024-05-04T18:48:47.104Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
BabyShark	2	BabyShark is a malicious software (malware) that has been linked to the North Korean Advanced Persistent Threat (APT) group known as Kimsuky, also referred to as Thallium and Velvet Chollima. This malware, written in Microsoft Visual Basic script, was first identified in November 2018 and was used p

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Screenconnect

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Kimsuky	Unspecified	2	Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked threat actor first identified by a Kaspersky researcher in 2013. This cyberespionage group has been associated with various malicious activities, including spear-phishing camp

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2024-1709	Unspecified	2	CVE-2024-1709 is a critical vulnerability in the ConnectWise ScreenConnect software that allows for an authentication bypass. This flaw can enable a remote non-authenticated attacker to bypass the system's authentication process and gain full access. The issue was identified by Sophos Rapid Response

Source Document References

Information about the Toddleshark Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Preview	Source Link	CreatedAt	Title
	DARKReading	6 months ago	North Korea Hits ScreenConnect Bugs to Drop 'ToddleShark' Malware
	CERT-EU	6 months ago	ScreenConnect flaws exploited to drop new ToddleShark malware