North Korean hackers have been observed delivering a previously undocumented backdoor and remote access trojan called VeilShell. The activity, dubbed SHROUDED#SLEEP by Securonix, is believed to be the work of a group known as InkySquid, which is part of North Korea’s Ministry of State Security. The initial payload is a ZIP archive containing a Windows shortcut file.
It is suspected that spear-phishing emails may be involved in the delivery. The shortcut file triggers the execution of PowerShell code to extract next-stage components, including a lure document, a configuration file, and a malicious DLL file. The attack chain uses a technique called AppDomainManager injection to execute the DLL file when a legitimate executable is launched at startup.
The DLL file retrieves JavaScript code from a remote server, which then contacts a different server to obtain the VeilShell backdoor. VeilShell is a PowerShell-based malware designed to communicate with a command-and-control server. It can gather file information, compress folders, download files, and rename or delete files.
The threat actors are patient and methodical, using long sleep times to avoid traditional heuristic detections. “The SHROUDED#SLEEP campaign represents a sophisticated and stealthy operation targeting Southeast Asia, leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems,” the researchers noted. APT37, also known as InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima, has been targeting Cambodia with malicious emails related to Cambodian affairs in the primary language, Khmer.
North Korean hackers deploy new backdoor
The emails contain maliciously crafted shortcut files that conceal the VeilShell backdoor. Tim Peck, a senior threat researcher at Securonix, explains, “It’s incredibly common—if you were to throw a dart at the threat actor dartboard, a shortcut file is probably going to be hit.
It’s easy, it’s effective, and it pairs really well with phishing emails.”
APT37 uses long sleep timers to spread out different stages of the attack chain. “The threat actors were incredibly patient, slow, and methodical. They used long sleep timers—up to 6,000 seconds—between different attack stages,” says Peck.
In a related campaign, North Korean hackers have been using a new malware called MISTPEN to target employees in the energy and aerospace industries. The group, tracked as UNC2970 by Mandiant, is linked to the Lazarus Group and North Korea’s primary intelligence agency, the Reconnaissance General Bureau. UNC2970 targets victims by posing as recruiters for prominent companies.
They send a malicious ZIP archive disguised as a job description, which triggers the execution of a malicious DLL file called BURNBOOK. MISTPEN is a trojanized version of a Notepad++ plugin that can download and execute files from a command-and-control server. Experts advise employers and employees to exercise caution with job postings and open-source tools, especially those related to Python development.
Organizations must remain vigilant and enforce robust cybersecurity protocols to protect their assets and information as these threats continue to evolve.
