TODDLERSHARK: Kimsuky's Hastily Built Variant of BABYSHARK Deployed Using an 1-Day Exploit

No ratings

Presented at hack.lu 2024 by

George Glass

The Kroll Cyber Threat Intelligence (CTI) team discovered new malware resembling the VBScript based BABYSHARK malware that we've called TODDLERSHARK. The malware was used in post-compromise activity following exploitation of two vulnerabilities in ScreenConnect, which were responsibly disclosed by a Kroll analyst but quickly weaponised after detail of the vulnerability was published. BABYSHARK has been associated, by several sources, with a threat actor Kroll tracks as KTA082 (Kimsuky). The malware utilized legitimate Microsoft binary and alternate data streams and exhibited elements of polymorphic behavior. This talk will detail how the exploits work, how Kimsuky was able to quickly operationalize a n-day vulnerability, a teardown of TODDLERSHARK and how simple detection methods were able to stop an APT group.