The recent emergence of a novel backdoor known as “VeilShell” has caught the attention of cybersecurity experts, shedding light on the activities of the North Korean state-sponsored threat actor APT37. While most APTs originating from North Korea have historically targeted organizations in South Korea or Japan, APT37 has taken a different approach by directing its latest campaign towards Cambodia.
The strained relationship between North Korea and Cambodia is a notable factor in this shift. Despite historical ties stemming from Soviet alliances in the region, the two nations hold divergent positions on critical issues such as nuclear weapons and diplomatic relations. North Korea’s provocative actions, including its nuclear weapons program and aggressive behavior towards neighboring countries, stand in contrast to Cambodia’s stance on weapons of mass destruction and its advocacy for diplomatic dialogue in the region.
Securonix, a cybersecurity company, has identified a new campaign named “Shrouded#Sleep” targeting Cambodian organizations, believed to be orchestrated by the North Korean regime. The campaign utilizes malicious emails related to Cambodian affairs, written in the country’s primary language, Khmer, to entice targets. For instance, one email offers access to a spreadsheet detailing annual income data in US dollars across various sectors in Cambodia.
These emails contain maliciously crafted shortcut files that serve as a disguise for the VeilShell backdoor, allowing unauthorized access to targeted networks. The infection process typically involves a .ZIP archive containing a Windows shortcut (.LNK) file, often used in phishing emails due to its effectiveness in evading detection. By concealing the true nature of the file with double extensions and altered icons, APT37 successfully tricks recipients into executing the malicious payload.
VeilShell, the backdoor implanted through these shortcuts, is a powerful tool equipped with remote access capabilities. Capable of downloading/uploading files, modifying system settings, and creating persistent scheduled tasks, VeilShell empowers threat actors to maintain control over compromised systems for extended periods. APT37 also implements advanced techniques like AppDomainManager injection to achieve stealth and evade detection.
To minimize the risk of detection, APT37 employs tactics such as long sleep timers between attack stages, ensuring a slow and methodical approach to its operations. By delaying malicious activities and allowing files to execute upon system reboot, the threat actor maintains a low profile and maximizes the longevity of its presence on compromised systems.
Overall, the SHROUDED#SLEEP campaign highlights the sophistication and persistence of APT37’s operations, blending advanced techniques with state-of-the-art tools to infiltrate and control targeted networks. As cybersecurity experts continue to monitor and analyze these activities, the importance of vigilance and robust defense mechanisms against such threats becomes increasingly evident in today’s digital landscape.