Shrouded#Sleep Campaign Detection: North Korean Hackers Linked to the APT37 Group Use New VeilShell Malware Targeting Southeast Asia
Table of contents:
North Korea-affiliated APT groups have consistently ranked among the most active adversaries over the past decade. This year, security experts have observed a significant uptick in their malicious operations, driven by enhanced toolsets and an expanded range of targets. In August 2024, North Korean hackers bolstered their arsenal with the MoonPeak Trojan. A month earlier, in July 2024, CISA, the FBI, and international partners issued a joint alert warning of the global cyber-espionage activity by the Andariel APT group. Following these incidents, the North Korea-linked APT37 has ramped up attacks in Southeast Asia, deploying the notorious VeilShell backdoor.
Detect VeilShell Backdoor Attacks Within SHROUDED#SLEEP Campaign by APT37
To stay ahead of potential intrusions and detect attacks in their early stages, security practitioners are seeking curated detection content that addresses the specific TTPs used by North Korean hackers. Cyber defenders can rely on the SOC Prime Platform for collective cyber defense, which provides a tailored set of detection content backed by a complete product suite for advanced threat hunting, AI-powered detection engineering, and automated threat hunting.
Hit the Explore Detections button below to immediately drill down to a collection of Sigma rules addressing the SHROUDED#SLEEP attacks by APT37. The rules are compatible with 30+ SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework to smooth threat investigation. Additionally, the detections are enriched with extensive metadata, including CTI references, attack timelines, triage & audit recommendations, and more.
Cybersecurity experts seeking additional detection content to analyze APT37’s activities retrospectively and stay on top of TTPs leveraged by the group can explore a dedicated rule set curated by the SOC Prime Team. Just browse the Threat Detection Marketplace using the “APT37” tag or use this link to access the APT37 rule collection directly.
SHROUDED#SLEEP Campaign Analysis
North Korean hackers linked to the APT37 group, also known under the monikers InkySquid, Reaper, RedEyes, Ricochet Chollima, or Ruby Sleet, have been observed deploying a novel backdoor and RAT dubbed VeilShell in a campaign targeting Cambodia and potentially other Southeast Asian countries. The APT37 hacking collective, which has been active in the cyber threat arena since at least 2012, is believed to have connections with North Korea’s Ministry of State Security. Similar to other North Korean nation-backed hacking groups, such as the Lazarus Group and Kimsuky, APT37 tends to have constantly evolving objectives that align with state interests.
The ongoing campaign identified by Securonix researchers and dubbed SHROUDED#SLEEP targets victims via a phishing attack vector leveraging emails that contain a ZIP file with a malicious LNK file as the initial payload. Once launched, the LNK file functions as a dropper, initiating PowerShell code execution to decode and extract the next-stage components embedded within it. Notably, APT37 disguises its shortcut files with PDF and Excel icons, using double extensions, so that only the PDF and XLS portions are visible to users. The PowerShell command executed from the LNK file aims to retrieve and decode a payload concealed within the shortcut. It drops malicious files into the Startup folder to ensure persistence, allowing them to run on the next login. Additionally, the payload opens an Excel file, likely to lure victims into believing they view a legitimate document while malicious activities occur in the background. This type of attack utilizes social engineering and fileless techniques to evade detection.
At the final stages of a complex infection chain, attackers deploy VeilShell, PowerShell-based malware with extensive RAT features. This new backdoor is notable for its stealthy execution and wide-ranging capabilities, including data exfiltration, registry edits, and scheduled task manipulation, granting attackers full control over compromised systems.
The SHROUDED#SLEEP campaign also employs a rare adversary technique known as AppDomainManager hijacking to ensure persistence by injecting malicious code into .NET applications. This method takes advantage of the .NET AppDomainManager class, enabling attackers to load their malicious DLL at the beginning of the application’s execution.
The SHROUDED#SLEEP operation is a sophisticated and stealthy campaign that employs multiple execution layers, persistence methods, and a versatile PowerShell-based backdoor RAT for sustained control of compromised systems. Due to its increased sophistication and adversary capabilities to rely on a unique mix of legitimate tools and techniques to evade defenses and maintain access to their targets, this campaign, along with similar attacks, requires ultra-responsiveness from cyber defenders. By leveraging SOC Prime’s complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection, progressive organizations can act faster than attackers and elevate their defenses at scale.
