As per recent reports, North Korean hackers have been observed using a new backdoor and remote access trojan as part of their attack campaign. VeilShell, the new tool, is primarily being used to target Southeast Asian countries. In this article, we'll dive into the details and uncover how such attacks are carried out. Let's begin!

Activities pertaining to the use of VeilShell by North Korean hackers were initially uncovered by Securonix, a security analytics platform. The threat actor group is mainly known as APT37 but also goes by other names that include:

Reports claim that the threat actor has been active since 2012 and is known for being a part of North Korea's Ministry of State Security (MSS). It's worth mentioning that the activities of these North Korean hackers have been dubbed SHROUDED#SLEEP and their objective evolve based on state interest.

While these North Korean hackers have developed custom tools for carrying out attacks on targeted victims, a key malware in their arsenal is RokRAT, also known as Goldbackdoor. The first payload delivered in these attacks is a ZIP archive containing a Windows LNK file.

As of now, it's possible that spear-phishing emails play a role, however, the exact deployment method for the initial payload is not yet confirmed. Commenting on the attack methods, researchers have stated that:

"The backdoor trojan allows the attacker full access to the compromised machine. Some features include data exfiltration, registry, and scheduled task creation or manipulation."

The LNK file delivered to the targeted victims is used for executing a PowerShell code that extracts additional components. These components include an Excel or PDF document that opens automatically. North Korean hackers use the document for distracting the user while a configuration and malicious DLL are written to the Windows startup folder.

In addition, an executable file named "dfsvc.exe" is also copied to the same folder. The DLL file deployed on the compromised systems retrieves JavaScript code from a remote server. This server also reaches out to another server to obtain the VeilShell backdoor. This PowerShell-based malware then reaches out to a C2 server for further instructions on:

Apart from this, experts have stated that:

"Each stage of the attack features very long sleep times in an effort to avoid traditional heuristic detections. Once VeilShell is deployed it doesn't actually execute until the next system reboot."

North Korean hackers, particularly APT37, have ramped up their cyberattack arsenal with the new VeilShell backdoor and RAT. Their sophisticated tactics involve stealthy, multi-stage attacks targeting Southeast Asia. This highlights the evolving threats these state-sponsored groups pose to international cybersecurity. To stay secure online, users must use robust security measures that help mitigate risk and improve security posture.