North Korean Hackers Use New Backdoor And RAT For Attacks
As per recent reports, North Korean hackers have been observed using a new backdoor and remote access trojan as part of their attack campaign. VeilShell, the new tool, is primarily being used to target Southeast Asian countries. In this article, we’ll dive into the details and uncover how such attacks are carried out. Let’s begin!
North Korean Hackers Behind VeilShell Uncovered
Activities pertaining to the use of VeilShell by North Korean hackers were initially uncovered by Securonix, a security analytics platform. The threat actor group is mainly known as APT37 but also goes by other names that include:
- Reaper.
- RedEyes.
- ScarCruft.
- InkySquid.
- Ruby Sleet.
- Ricochet Chollima.
Reports claim that the threat actor has been active since 2012 and is known for being a part of North Korea’s Ministry of State Security (MSS). It’s worth mentioning that the activities of these North Korean hackers have been dubbed SHROUDED#SLEEP and their objective evolve based on state interest.
SHROUDED#SLEEP Attack Arsenal And Tactics
While these North Korean hackers have developed custom tools for carrying out attacks on targeted victims, a key malware in their arsenal is RokRAT, also known as Goldbackdoor. The first payload delivered in these attacks is a ZIP archive containing a Windows LNK file.
As of now, it’s possible that spear-phishing emails play a role, however, the exact deployment method for the initial payload is not yet confirmed. Commenting on the attack methods, researchers have stated that:
“The backdoor trojan allows the attacker full access to the compromised machine. Some features include data exfiltration, registry, and scheduled task creation or manipulation.”
The LNK file delivered to the targeted victims is used for executing a PowerShell code that extracts additional components. These components include an Excel or PDF document that opens automatically. North Korean hackers use the document for distracting the user while a configuration and malicious DLL are written to the Windows startup folder.
In addition, an executable file named “dfsvc.exe” is also copied to the same folder. The DLL file deployed on the compromised systems retrieves JavaScript code from a remote server. This server also reaches out to another server to obtain the VeilShell backdoor. This PowerShell-based malware then reaches out to a C2 server for further instructions on:
- Gathering information.
- Compressing a specific folder into a ZIP archive.
- Uploading acquired data back to the C2 server.
- Downloading files for a specified URL.
- Renaming and deleting files.
- Extracting ZIP archives.
Apart from this, experts have stated that:
“Each stage of the attack features very long sleep times in an effort to avoid traditional heuristic detections. Once VeilShell is deployed it doesn’t actually execute until the next system reboot.”
Conclusion
North Korean hackers, particularly APT37, have ramped up their cyberattack arsenal with the new VeilShell backdoor and RAT. Their sophisticated tactics involve stealthy, multi-stage attacks targeting Southeast Asia. This highlights the evolving threats these state-sponsored groups pose to international cybersecurity. To stay secure online, users must use robust security measures that help mitigate risk and improve security posture.
The sources for this piece include articles in The Hacker News and The Record.