Malware Profile Updated 3 months ago
Download STIX
Preview STIX
ToddleShark is a new variant of malware, believed to be an evolution of Kimsuky's BabyShark and ReconShark backdoors. It has been identified by Kroll's analysts as being used by the North Korean APT hacking group Kimsuky to target government organizations, research centers, universities, and think tanks across the United States, Europe, and Asia. The malware exploits ScreenConnect flaws, specifically CVE-2024-1708 and CVE-2024-1709, to infiltrate target systems. Blocklisting proves ineffective against ToddleShark due to the constant variation in the hash of the initial payload and URLs used for downloading additional stages of the malware. Once inside a system, ToddleShark uses legitimate Microsoft binaries to minimize its trace and modifies registry settings to lower security defenses. It establishes persistent access through scheduled tasks, which then initiates a phase of continual data theft and exfiltration. Among other functions, it gathers system information such as configuration details, installed security software, user sessions, network connections, and running processes. This information is encoded into Privacy Enhanced Mail (PEM) certificates and exfiltrated to the attacker's command and control (C2) infrastructure, a known Kimsuky tactic. ToddleShark stands out for its approach to anti-detection, building off previous Kimsuky malware but introducing significant advancements. Patching ScreenConnect applications is imperative to defend against this threat. Kroll has indicated that it will share specific details and indicators of compromise (IoCs) relating to ToddleShark in an upcoming blog post. As it stands, ToddleShark poses a significant threat due to its advanced methods of infiltration, persistence, data gathering, and evasion.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
BabyShark is a malicious software (malware) that has been linked to the North Korean Advanced Persistent Threat (APT) group known as Kimsuky, also referred to as Thallium and Velvet Chollima. This malware, written in Microsoft Visual Basic script, was first identified in November 2018 and was used p
ReconShark is a new malware variant deployed by the North Korea-linked Advanced Persistent Threat (APT) group, Kimsuky. This tool has been observed in an ongoing campaign, used as an infostealer-downloader and is a new iteration of the group's custom BabyShark malware family. The ReconShark tool is
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Kimsuky is a North Korea-linked advanced persistent threat (APT) group that conducts global cyber-attacks to gather intelligence for the North Korean government. The group has been identified as a significant threat actor, executing actions with malicious intent, and has recently targeted victims vi
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2024-1709 is a critical vulnerability in the ConnectWise ScreenConnect software that allows for an authentication bypass. This flaw can enable a remote non-authenticated attacker to bypass the system's authentication process and gain full access. The issue was identified by Sophos Rapid Response
CVE-2024-1708 is a high-severity software vulnerability found in ConnectWise's ScreenConnect software, specifically targeting versions 23.9.7 and earlier. The flaw was officially disclosed by ConnectWise on February 19, 2024. This vulnerability, alongside another (CVE-2024-1709), presents significan
Source Document References
Information about the Toddleshark Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
5 months ago
North Korea Hits ScreenConnect Bugs to Drop 'ToddleShark' Malware
5 months ago
ScreenConnect flaws exploited to drop new ToddleShark malware