The North Korean state-sponsored hacking group known as APT37 has been caught using a new malware tool called “VeilShell” to target victims in Cambodia and other Southeast Asian countries. Researchers at the U.S. cybersecurity firm Securonix discovered the campaign, which they have dubbed “SHROUDED#SLEEP.” The hackers use phishing emails written in the Khmer language to lure targets into opening malicious ZIP files. These archives contain Windows shortcut (.LNK) files disguised as legitimate PDF or Excel documents.
When opened, the shortcut files secretly install the VeilShell backdoor on the victim’s computer. VeilShell is a sophisticated Remote Access Trojan (RAT) written in PowerShell that allows attackers to gain full control over the compromised machine.
Some of VeilShell’s capabilities include extracting data, creating or modifying registry entries and scheduled tasks, downloading additional files, renaming and deleting files, and extracting ZIP archives.
North Korean hackers’ VeilShell tactics
The malware is designed to be stealthy, using long sleep timers between different stages of the attack to avoid triggering antivirus detections.
“Overall, the threat actors were quite patient and methodical,” the Securonix researchers noted in their report. “Each stage of the attack features very long sleep times in an effort to avoid traditional heuristic detections. Once VeilShell is deployed, it doesn’t actually execute until the next system reboot.
APT37, believed to be linked to North Korea’s Ministry of State Security, has been active since at least 2012.
The group is also known by other names, including InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft. While North Korean hacking groups often focus their attacks on South Korea and Japan, the targeting of Cambodia is notable given the complex diplomatic relationship between North Korea and the Southeast Asian nation. Experts say the discovery of the VeilShell campaign highlights the ongoing cyber threat posed by North Korea and the need for enhanced international cooperation to combat state-sponsored hacking.
