Attacks leveraging ConnectWise ScreenConnect vulnerabilities, tracked as CVE-2024-1708 and CVE-2024-1709, have been launched by North Korean state-sponsored hacking group Kimsuky — also known as Velvet Chollima and Thallium — to facilitate the deployment of the ToddleShark malware, which is suspected to be an updated version of the operation's ReconShark and BabyShark payloads, BleepingComputer reports.
After infiltrating vulnerable ScreenConnect instances and executing malicious scripts via legitimate Microsoft binaries, Kimsuky proceeds with letting ToddleShark modify Windows Registry's VBAWarnings keys before facilitating the gathering of various system information later exfiltrated to an attacker-controlled command-and-control server, an upcoming report from Kroll revealed. Moreover, ToddleShark's polymorphic nature has enabled the effective concealment of malicious activity, with the malware leveraging not only random functions and variable names in its VBScript but also randomized strings and code positioning, as well as dynamically generated URLs for further stage downloads, according to Kroll researchers, who will be providing more information regarding the malware's indicators of compromise.