New VeilShell Backdoor Unveiled by North Korean Hackers in Covert Cyber Assaults
A group of cybercriminals associated with North Korea is utilizing a novel VeilShell backdoor and RAT (Remote Access Trojan) in a series of incognito assaults targeting Cambodia and potentially other nations in Southeast Asia.
Identified as SHROUDED#SLEEP by Securonix, the operation is tied to APT37, also known by aliases such as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft.
In existence since at least 2012, the collective is believed to operate under the umbrella of North Korea’s Ministry of State Security (MSS). Groups aligned with North Korea, including Lazarus Group and Kimsuky, demonstrate diverse tactics and likely adapt their goals according to national interests.
Among their arsenal is RokRAT (aka Goldbackdoor), along with custom tools tailored for secretive intelligence gathering.
The distribution method for the initial payload – a compressed ZIP file containing a Windows shortcut (LNK) file – to victims remains undisclosed but is speculated to involve targeted phishing emails.
“The VeilShell backdoor provides complete control over the compromised system,” explained researchers Den Iuzvyk and Tim Peck in a technical analysis shared with The Hacker News. “Its functionalities encompass data theft, registry manipulation, and creation or adjustment of scheduled tasks.”
Upon execution, the LNK file acts as a dropper triggering PowerShell code to decrypt and extract embedded components, including a benign lure document (e.g., Microsoft Excel or PDF) that serves as a distraction while a configuration file (“d.exe.config”) and a malicious DLL (“DomainManager.dll”) are surreptitiously written to the Windows startup folder.
Additionally, a legitimate executable named “dfsvc.exe,” known to be part of Microsoft .NET Framework’s ClickOnce technology, is placed in the same directory as “d.exe.”
Of note is the utilization of a less commonly known technique called AppDomainManager injection to execute DomainManager.dll when “d.exe” is launched at startup, and subsequently the binary interacts with the accompanying “d.exe.config” file in the startup folder.
This method, also recently employed by the China-affiliated Earth Baxia group, seems to be gaining traction among threat actors as an alternative to DLL side-loading.
The DLL file functions as a loader to fetch JavaScript code from a remote server, which then communicates with another server to fetch the VeilShell backdoor.
VeilShell, a PowerShell-based malware, establishes communication with a command-and-control (C2) server to receive instructions for data gathering, compressing specific folders into ZIP archives, uploading contents to the C2 server, downloading files from specified URLs, file manipulation (renaming, deleting), and archive extraction.
“The threat actors exhibited a meticulous and patient approach,” remarked the researchers. “Each phase of the campaign incorporates extended sleep durations to evade heuristic detections. After deploying VeilShell, the malware lies dormant until the next system reboot.”
“The SHROUDED#SLEEP initiative represents a sophisticated and covert campaign directed at Southeast Asia, employing multiple layers of execution, persistence mechanisms, and a dynamic PowerShell-based RAT to establish sustained control over compromised systems.”
The release of Securonix’s report follows closely after Symantec, now owned by Broadcom, revealed that Andariel, a North Korean threat actor, targeted three U.S.-based organizations in August 2024 as part of a financially driven scheme.
About Author
