The North Korean state-sponsored threat actor known as APT37 has been carefully spreading a novel backdoor, dubbed "VeilShell." Of note is its target: Most North Korean advanced persistent threats (APTs) have a history of targeting organizations in South Korea or Japan, but APT37's latest campaign seems to be directed at a nation Kim Jong-Un has more complex relations with: Cambodia. "It's incredibly common — if you were to throw a dart at the threat actor dartboard, a shortcut file is probably going to be hit," says Tim Peck, senior threat researcher at Securonix. In the end, Peck notes, "Unless you're looking for the little arrow that Microsoft adds on shortcut files, odds are you might miss that." An unreasonably eagle-eyed victim might also have noticed that unlike typical shortcut files — which tend to be just a few kilobytes in size — these were anywhere from 60 to 600 kilobytes. "It represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems," according to the Securonix analysis. APT37 gives its shortcut files PDF and Excel icons, and assigned them double extensions like ".pdf.lnk," or ".xls.lnk," so that only the .PDF and .XLS parts of the extension show up for users. That wariness has drawn the attention of the North Korean regime, according to Securonix, which has flagged a new campaign called "Shrouded#Sleep" circulating against Cambodian organizations. Securonix did not share detailed victimology, but to lure in targets, APT37 (aka InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima) has been spreading malicious emails relating to Cambodian affairs, and in Cambodia's primary language, Khmer.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 04 Oct 2024 01:00:27 +0000