HQ/EMEAFind out how we can help your business
The North Korea-backed threat actors have allegedly started a cybercriminal operation that uses the VeilShell malware to target Southeast Asian countries, especially Cambodia.
Reports indicate that this campaign’s operators are the notorious APT37 threat group, known by various names, including InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft.
As of now, there is no speculation on how the attackers deploy the first-stage payload to its targets. However, the researchers believe that the primary vector of this campaign is through spear-phishing emails.
The VeilShell trojan provides its operators complete control over an infected device.
The VeilShell backdoor trojan enables its operators to have takeover capabilities on a compromised device. In addition, the malware can execute data exfiltration, registry management, and modification of scheduled tasks.
The researchers explained that its LNK file will function as a dropper once the attackers launch the malware. This capability will trigger the execution of a PowerShell code to decode and extract the next-stage components attached to it.
The components are seemingly harmless, luring documents, such as Microsoft Excel or PDF, to open immediately to distract the user. This distraction can allow the operation to run a configuration file and a malicious DLL in the background to the Windows starting folder.
This new campaign has a unique capability since it uses a lesser-known technique dubbed AppDomainManager to inject and execute DomainManager.dll. However, these processes can only be executed once the attackers initiate them at startup. The binary then reads the accompanying DLL file in the same starting folder.
On the other hand, the North Korean threat actors are not the only entities that execute this strategy, as the Chinese-affiliated threat group known as Earth Baxia has recently used the same method.
In the China-backed campaign, the DLL file functions as a basic loader, recovering JavaScript code from a remote server and then connecting to another server to retrieve the VeilShell backdoor. Hence, this campaign is gaining traction as other cybercriminal groups use it as an alternative to DLL-sideloading techniques.
