Ethical Hacking News
North Korean hackers have been using a new backdoor malware called VeilShell as part of their stealthy cyber attacks, targeting Cambodia and likely other Southeast Asian countries. The malicious activity is believed to be the handiwork of APT37, also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft. This article provides a detailed analysis of the VeilShell malware and its tactics, highlighting the sophistication of North Korean hackers' attacks and the need for organizations to stay vigilant against such threats.
North Korean hackers are using VeilShell malware in cyber attacks on Cambodia and likely other Southeast Asian countries. The malicious activity is attributed to APT37, also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft. The threat actors are believed to be part of North Korea's Ministry of State Security (MSS) and have been active since at least 2012. VeilShell malware uses a lesser-known technique called AppDomainManager injection, making it stand out from other malware tools. The attack chain involves a lure document, configuration files, and malicious DLLs that execute the VeilShell backdoor. VeilShell is a PowerShell-based malware that contacts a C2 server to await further instructions and allows attackers full access to compromised machines. The attack features long sleep times to avoid traditional heuristic detections, highlighting the sophistication of North Korean hackers' tactics.
North Korean hackers have been using a new backdoor malware called VeilShell as part of their stealthy cyber attacks, targeting Cambodia and likely other Southeast Asian countries. The malicious activity, dubbed SHROUDED#SLEEP by Securonix, is believed to be the handiwork of APT37, also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft.
The threat actors have been active since at least 2012, and are assessed to be part of North Korea's Ministry of State Security (MSS). The group is known for its sophisticated tactics and has a variety of malware in its toolbox, including the RokRAT backdoor. However, the VeilShell malware stands out due to its use of a lesser-known technique called AppDomainManager injection.
The attack chain begins with an innocuous-looking lure document that distracts the user while a configuration file ("d.exe.config") and a malicious DLL ("DomainManager.dll") file are written in the background to the Windows startup folder. A legitimate executable named "dfsvc.exe" is also copied to the same folder, which is associated with the ClickOnce technology in Microsoft .NET Framework.
When "d.exe" is launched at startup and reads the accompanying "d.exe.config" file, the AppDomainManager injection technique is used to execute DomainManager.dll. The DLL file behaves like a simple loader that retrieves JavaScript code from a remote server, which then reaches out to a different server to obtain the VeilShell backdoor.
VeilShell is a PowerShell-based malware that contacts a command-and-control (C2) server to await further instructions. It allows the attacker full access to the compromised machine and features data exfiltration, registry, and scheduled task creation or manipulation.
The researchers noted that the threat actors were quite patient and methodical, with each stage of the attack featuring long sleep times in an effort to avoid traditional heuristic detections. The SHROUDED#SLEEP campaign represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems.
This is not the first time that APT37 has been linked to North Korean hackers, as it was previously known for its involvement in a campaign targeted at three different organizations in the U.S. in August 2024 as part of a financially motivated campaign.
The use of VeilShell malware highlights the evolving tactics and techniques used by North Korean hackers, who are continuing to adapt and improve their methods to evade detection and achieve their objectives.
In conclusion, the discovery of the VeilShell backdoor malware marks a significant milestone in the ongoing cat-and-mouse game between cybersecurity professionals and North Korean hackers. As the threat landscape continues to evolve, it is essential for organizations to stay vigilant and implement robust security measures to protect themselves against such sophisticated attacks.
Related Information:
https://thehackernews.com/2024/10/north-korean-hackers-using-new.html
https://www.techradar.com/pro/security/north-korean-hackers-have-some-deious-new-linux-backdoor-attacks-to-target-victims
https://www.bleepingcomputer.com/news/security/redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones/
https://cybersecuritynews.com/redeyes-apt-group/
https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/
https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/
https://www.darkreading.com/threat-intelligence/north-koreasc-arcruft-attackers-target-cybersecurity-pros
https://blog.talosintelligence.com/introducing-rokrat/
https://www.pcrisk.com/removal-guides/24939-rokrat-malware
https://attack.mitre.org/groups/G0067/
https://www.wired.com/story/north-korean-hacker-group-apt37/
https://en.wikipedia.org/wiki/Ricochet_Chollima
https://thehackernews.com/2024/01/north-korean-hackers-weaponize-fake.html
Published: Thu Oct 3 09:21:45 2024 by llama3.2 3B Q4_K_M
