October 3, 2024 at 09:45AM
Threat actors linked to North Korea have been identified launching a new campaign named SHROUDED#SLEEP targeting Cambodia and other Southeast Asian countries using the VeilShell backdoor and RAT. The group, APT37, is associated with North Korea’s MSS and uses varied tactics for intelligence gathering. The campaign involves sophisticated techniques and long sleep times to avoid detection.
Based on the meeting notes, the main takeaways are:
1. Threat actors with ties to North Korea have been observed carrying out a cyber espionage campaign, referred to as SHROUDED#SLEEP by Securonix, targeting Cambodia and likely other Southeast Asian countries.
2. This activity is attributed to APT37, also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft, and is believed to be part of North Korea’s Ministry of State Security (MSS).
3. The attack involves the delivery of a previously undocumented backdoor and remote access trojan (RAT) called VeilShell as part of the attack chain. This RAT is a PowerShell-based malware designed to contact a command-and-control (C2) server to await further instructions and to carry out various tasks such as gathering and uploading information, downloading files, renaming and deleting files, and executing after system reboots.
4. The attack chain includes the use of a lesser-known technique called AppDomainManager injection and the VeilShell backdoor is achieved by retrieving JavaScript code from a remote server.
5. The threat actors demonstrated patience and methodical execution, featuring long sleep times in each stage of the attack to avoid traditional heuristic detections.
6. This campaign represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems.
Additionally, there is mention of Andariel, a North Korean threat actor tracked by Symantec, which targeted three different organizations in the U.S. in August 2024 as part of a financially motivated campaign.