[Source – bleepingcomputer.com]
A recent cyberattack campaign linked to North Korean threat actors has introduced a previously undocumented malware, VeilShell, targeting Cambodia and other Southeast Asian nations. The campaign, named SHROUDED#SLEEP by cybersecurity firm Securonix, is believed to be orchestrated by APT37, also known by various names including InkySquid, Reaper, and RedEyes.
APT37, which has been active since at least 2012, is connected to North Korea’s Ministry of State Security (MSS) and is known for its advanced cyber espionage operations. Like other North Korean-affiliated groups, such as Lazarus Group and Kimsuky, APT37’s objectives are suspected to align with the state’s evolving interests. Their arsenal includes various custom malware, with the most notable being RokRAT (also known as Goldbackdoor), used for covert intelligence gathering.
VeilShell’s Capabilities and Infection Methods
The primary weapon of this latest campaign is VeilShell, a backdoor and remote access trojan (RAT) that grants attackers full access to compromised machines. According to researchers Den Iuzvyk and Tim Peck from Securonix, the malware allows threat actors to exfiltrate data, manipulate the Windows registry, and create or alter scheduled tasks.
The initial infection vector is currently unknown, though it is suspected that spear-phishing emails are used to deliver a ZIP archive containing a Windows shortcut (LNK) file. Once launched, the LNK file executes PowerShell code, which extracts additional components, including a harmless-looking Excel or PDF document designed to distract the user. In the background, more malicious files are written to the Windows startup folder, ensuring persistence.
One of the standout techniques in this campaign is the use of AppDomainManager injection to execute a malicious DLL file named “DomainManager.dll” during system startup. This approach, gaining popularity among advanced threat actors, is used to bypass traditional detection methods.
Long-Term Control Through VeilShell
The ultimate goal of the attack is to establish long-term control over infected systems through VeilShell. This PowerShell-based malware connects to a command-and-control (C2) server and awaits further instructions. Its capabilities include gathering file information, uploading data back to the C2 server, downloading files from remote servers, and manipulating local files. Notably, the malware exhibits extreme stealth by incorporating long sleep intervals between actions, a tactic designed to evade heuristic-based security measures.
The SHROUDED#SLEEP campaign is characterized by a patient and methodical approach, with each stage of the attack featuring delayed execution to avoid detection. Once VeilShell is deployed, it remains inactive until the next system reboot, further reducing the chances of early discovery.
Broader North Korean Cyber Activities
North Korean hackers attacked systems of Russian missile maker?
The discovery of this campaign comes shortly after Symantec, another cybersecurity firm, revealed a separate attack by the North Korean hacker group Andariel. In August 2024, Andariel targeted three organizations in the U.S. in what appears to be a financially motivated operation. These incidents highlight the increasing cyber threats posed by North Korean-affiliated groups, whose objectives range from espionage to financial gain.
The SHROUDED#SLEEP operation demonstrates the evolving sophistication of North Korean cyberattacks, particularly in their use of advanced techniques and multi-layered malware to maintain long-term access to targeted systems. As cybersecurity experts continue to uncover these threats, the global community must remain vigilant against these persistent and evolving actors.
