Toddleshark

Malware updated a month ago (2024-11-29T13:42:36.332Z)
Download STIX
Preview STIX
ToddleShark is a new variant of malware, believed to be an evolution of Kimsuky's BabyShark and ReconShark backdoors. It has been identified by Kroll's analysts as being used by the North Korean APT hacking group Kimsuky to target government organizations, research centers, universities, and think tanks across the United States, Europe, and Asia. The malware exploits ScreenConnect flaws, specifically CVE-2024-1708 and CVE-2024-1709, to infiltrate target systems. Blocklisting proves ineffective against ToddleShark due to the constant variation in the hash of the initial payload and URLs used for downloading additional stages of the malware. Once inside a system, ToddleShark uses legitimate Microsoft binaries to minimize its trace and modifies registry settings to lower security defenses. It establishes persistent access through scheduled tasks, which then initiates a phase of continual data theft and exfiltration. Among other functions, it gathers system information such as configuration details, installed security software, user sessions, network connections, and running processes. This information is encoded into Privacy Enhanced Mail (PEM) certificates and exfiltrated to the attacker's command and control (C2) infrastructure, a known Kimsuky tactic. ToddleShark stands out for its approach to anti-detection, building off previous Kimsuky malware but introducing significant advancements. Patching ScreenConnect applications is imperative to defend against this threat. Kroll has indicated that it will share specific details and indicators of compromise (IoCs) relating to ToddleShark in an upcoming blog post. As it stands, ToddleShark poses a significant threat due to its advanced methods of infiltration, persistence, data gathering, and evasion.
Description last updated: 2024-05-04T18:48:47.104Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
BabyShark is a possible alias for Toddleshark. BabyShark is a malicious software (malware) that has been linked to the North Korean Advanced Persistent Threat (APT) group known as Kimsuky, also referred to as Thallium and Velvet Chollima. This malware, written in Microsoft Visual Basic script, was first identified in November 2018 and was used p
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Screenconnect
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Kimsuky Threat Actor is associated with Toddleshark. Kimsuky is a threat actor group linked to North Korea, known for its malicious cyber activities with a particular focus on espionage. The group has been observed employing a variety of sophisticated tactics and techniques, including the use of malware such as TOGREASE, GREASE, and RandomQuery, whichUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2024-1709 Vulnerability is associated with Toddleshark. CVE-2024-1709 is a critical vulnerability in the ConnectWise ScreenConnect software that allows for an authentication bypass. This flaw can enable a remote non-authenticated attacker to bypass the system's authentication process and gain full access. The issue was identified by Sophos Rapid ResponseUnspecified
2
Source Document References
Information about the Toddleshark Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more