October 3, 2024 at 09:03PM
APT37, a North Korean state-sponsored threat actor, has targeted Cambodian organizations with a new campaign called “Shrouded#Sleep.” Through spreading malicious emails related to Cambodian affairs in the Khmer language, APT37 introduces a backdoor called “VeilShell” disguised as shortcut files in an infection routine. This campaign demonstrates sophisticated persistence and stealth mechanism according to Securonix analysis.
Based on the meeting notes, here are the key takeaways:
1. A state-sponsored threat actor, APT37, has been spreading a new backdoor called “VeilShell,” with a recent campaign targeting Cambodian organizations.
2. The relationship between North Korea and Cambodia is complex, despite historical ties, due to their differing stances on nuclear weapons and aggression towards neighbors.
3. The campaign named “Shrouded#Sleep” is being used by APT37 to target Cambodian organizations through malicious emails in Khmer.
4. The infection routine for Shrouded#Sleep involves concealing the backdoor within Windows shortcuts (.LNK) files, which are disguised as PDFs or Excel files.
5. VeilShell, the backdoor used by APT37, is a multifunctional, PowerShell-based RAT capable of various malicious actions and achieves persistence via AppDomainManager injection.
6. APT37 employs long sleep timers and patience in its attack tactics to ensure stealth and evade detection.
These are the main points extracted from the meeting notes regarding the APT37 campaign and its implications. Let me know if there’s anything else you’d like to focus on or if there are specific action items to address.