North Korean Hackers Using New VeilShell Backdoor in Stealthy Cyber Attacks

Cyber Espionage / Threat Intelligence

Threat actors with ties to North Korea have been observed delivering a previously undocumented backdoor and remote access trojan (RAT) called VeilShell as part of a campaign targeting Cambodia and likely other Southeast Asian countries.

The activity, dubbed SHROUDED#SLEEP by Securonix, is believed to be the handiwork of APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft.

Active since at least 2012, the adversarial collective is assessed to be part of North Korea’s Ministry of State Security (MSS). Like with other state-aligned groups, those affiliated with North Korea, including the Lazarus Group and Kimsuky, vary in their modus operandi and likely have ever-evolving objectives based on state interests.

A key malware in its toolbox is RokRAT (aka Goldbackdoor), although the group has also developed custom tools to facilitate covert intelligence gathering.

It’s currently not known how the first stage payload, a ZIP archive bearing a Windows shortcut (LNK) file, is delivered to targets. However, it’s suspected that it likely involves sending spear-phishing emails.

“The [VeilShell] backdoor trojan allows the attacker full access to the compromised machine,” researchers Den Iuzvyk and Tim Peck said in a technical report shared with The Hacker News. “Some features include data exfiltration, registry, and scheduled task creation or manipulation.”

The LNK file, once launched, acts as a dropper in that it triggers the execution of PowerShell code to decode and extract next-stage components embedded into it.

This includes an innocuous lure document, a Microsoft Excel or a PDF document, that’s automatically opened, distracting the user while a configuration file (“d.exe.config”) and a malicious DLL (“DomainManager.dll”) file are written in the background to the Windows startup folder.

Also copied to the same folder is a legitimate executable named “dfsvc.exe” that’s associated with the ClickOnce technology in Microsoft .NET Framework. The file is copied as “d.exe.”

What makes the attack chain stand out is the use of a lesser-known technique called AppDomainManager injection in order to execute DomainManager.dll when “d.exe” is launched at startup and the binary reads the accompanying “d.exe.config” file located in the same startup folder.

It’s worth noting that this approach was recently also put to use by the China-aligned Earth Baxia actor, indicating that it is slowly gaining traction among threat actors as an alternative to DLL side-loading.

The DLL file, for its part, behaves like a simple loader to retrieve JavaScript code from a remote server, which, in turn, reaches out to a different server to obtain the VeilShell backdoor.

VeilShell is a PowerShell-based malware that’s designed to contact a command-and-control (C2) server to await further instructions that allow it to gather information about files, compress a specific folder into a ZIP archive and upload it back to the C2 server, download files from a specified URL, rename and delete files, and extract ZIP archives.

“Overall, the threat actors were quite patient and methodical,” the researchers noted. “Each stage of the attack features very long sleep times in an effort to avoid traditional heuristic detections. Once VeilShell is deployed it doesn’t actually execute until the next system reboot.”

“The SHROUDED#SLEEP campaign represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems.”

Securonix’s report comes a day after Broadcom-owned Symantec revealed that the North Korean threat actor tracked as Andariel targeted three different organizations in the U.S. in August 2024 as part of a financially motivated campaign.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.