North Korean Hackers Deploy New VeilShell Backdoor in Covert Cyber Attacks

Threat Intelligence
North Korean Hackers Deploy New VeilShell Backdoor in Covert Cyber Attacks

Published:

Reading time: 4 min.

Unveiling VeilShell: North Korea’s New Cyber Espionage Tool Targeting Southeast Asia

In a chilling development in the realm of cyber espionage, threat actors linked to North Korea have been observed deploying a previously undocumented backdoor and remote access trojan (RAT) known as VeilShell. This sophisticated malware is part of a broader campaign dubbed SHROUDED#SLEEP, which primarily targets Cambodia and potentially other Southeast Asian nations. The implications of this campaign are significant, as it underscores the evolving tactics of state-sponsored hacking groups and their relentless pursuit of intelligence gathering.

The Architects Behind the Attack: APT37

The campaign is attributed to APT37, a notorious hacking group also referred to by various aliases, including InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft. Active since at least 2012, APT37 is believed to operate under the auspices of North Korea’s Ministry of State Security (MSS). Like other state-aligned groups, APT37 exhibits a diverse range of operational methods and objectives, which are often aligned with the shifting interests of the North Korean regime.

Historically, APT37 has employed a variety of malware tools, with RokRAT (also known as Goldbackdoor) being one of its key assets. The group has a reputation for developing custom tools tailored for covert intelligence operations, making it a formidable adversary in the cyber landscape.

The Mechanics of VeilShell

The initial stage of the VeilShell attack involves the delivery of a ZIP archive containing a Windows shortcut (LNK) file. While the exact delivery method remains unclear, it is suspected that spear-phishing emails are likely employed to lure victims into executing the malicious payload. Once the LNK file is activated, it acts as a dropper, executing PowerShell code that decodes and extracts subsequent components embedded within it.

One of the notable features of this attack is the use of seemingly innocuous documents, such as Microsoft Excel or PDF files, which are automatically opened to distract the user. Meanwhile, the malware writes a configuration file ("d.exe.config") and a malicious DLL ("DomainManager.dll") into the Windows startup folder, ensuring persistence on the compromised system.

A Unique Injection Technique

What sets this attack apart is the innovative use of AppDomainManager injection. This technique allows the execution of the DomainManager.dll file when "d.exe" is launched at startup, reading the accompanying configuration file. This method has recently gained traction among various threat actors, including those aligned with China, indicating a potential shift in the tactics employed by cybercriminals.

The DLL functions as a loader, retrieving JavaScript code from a remote server, which subsequently connects to another server to obtain the VeilShell backdoor. This PowerShell-based malware is designed to establish communication with a command-and-control (C2) server, enabling the attackers to issue commands for data exfiltration, file manipulation, and other malicious activities.

A Patient and Methodical Approach

Researchers from Securonix, who conducted an in-depth analysis of the SHROUDED#SLEEP campaign, noted the methodical nature of the threat actors. Each stage of the attack is characterized by extended sleep times, a tactic employed to evade traditional heuristic detection methods. Notably, once VeilShell is deployed, it remains dormant until the next system reboot, allowing it to maintain a low profile on the compromised machine.

The researchers emphasized that the SHROUDED#SLEEP campaign represents a sophisticated and stealthy operation, leveraging multiple layers of execution and persistence mechanisms. This versatility allows the attackers to maintain long-term control over compromised systems, posing a significant threat to targeted organizations.

Broader Implications and Recent Developments

The emergence of VeilShell and the SHROUDED#SLEEP campaign comes on the heels of other notable activities by North Korean threat actors. Just a day prior to the Securonix report, Symantec revealed that a different North Korean group, tracked as Andariel, had targeted three organizations in the U.S. as part of a financially motivated campaign. This highlights the diverse objectives of North Korean cyber actors, ranging from espionage to financial gain.

As the cyber threat landscape continues to evolve, organizations in Southeast Asia and beyond must remain vigilant against the tactics employed by state-sponsored groups like APT37. The deployment of sophisticated malware such as VeilShell serves as a stark reminder of the persistent and adaptive nature of cyber threats in today’s interconnected world.

Conclusion

The discovery of VeilShell and its deployment by North Korean threat actors marks a significant development in the ongoing battle against cyber espionage. As these state-sponsored groups refine their tactics and tools, it is imperative for organizations to bolster their cybersecurity measures and stay informed about emerging threats. The SHROUDED#SLEEP campaign exemplifies the need for proactive defense strategies in an era where cyber threats are increasingly sophisticated and pervasive.

For those interested in staying updated on the latest cybersecurity developments, following reputable sources and engaging with the cybersecurity community is essential. The fight against cyber threats is ongoing, and awareness is the first step in safeguarding sensitive information and infrastructure.

Related articles

Recent articles

Latest news

© 2024 BasicFundas.com [ CYBERSECURITY NEWS UPDATES ] All Rights Reserved.