The North Korean state-sponsored threat actor APT37 has been spreading a new backdoor called “VeilShell,” with a surprising target: Cambodia. While historically APTs from North Korea have focused on South Korea and Japan, this latest campaign indicates a shift towards Cambodia, a nation with complex relations with Kim Jong-Un.
Despite historical ties between North Korea and Cambodia, the modern-day relationship is strained due to differences in stances on issues like nuclear weapons and aggression towards neighbors. Securonix has identified a campaign named “Shrouded#Sleep” targeting Cambodian organizations, using malicious emails in the Khmer language as bait.
The infection begins with a .ZIP archive containing a disguised Windows shortcut file. APT37 cleverly hides the malicious payload, named “VeilShell,” within these shortcut files by using double extensions and custom icons to deceive users. This stealthy tactic aims to establish persistence in targeted networks.
The Shrouded#Sleep campaign showcases APT37’s advanced techniques, utilizing a blend of living-off-the-land and proprietary tools for stealthy operations in Southeast Asia. VeilShell, the backdoor RAT used in the campaign, allows for various malicious activities like file manipulation and system settings modification.
To maintain persistence, APT37 employs AppDomainManager injection, a sophisticated technique involving the injection of malicious code into .NET applications. Additionally, the threat actor uses long sleep timers between attack stages to avoid detection and execute malicious activities discreetly.
Overall, APT37’s patient and methodical approach in the Shrouded#Sleep campaign highlights their dedication to stealth and long-term control over compromised systems. This careful planning and execution demonstrate the threat actor’s confidence and expertise in carrying out cyber attacks.