Threat Research

“SHROUDED#SLEEP: Analyzing North Korea’s Campaign in Southeast Asia”

Securonix

Securonix attributes a campaign called SHROUDED#SLEEP to North Korea’s APT37 that distributes a stealthy PowerShell backdoor named VeilShell via malicious .lnk shortcut files in phishing zip attachments, primarily targeting victims in Southeast Asia (notably Cambodia). The attack chain appends Base64 payloads to .lnk files, drops a renamed legitimate executable plus a .config and DomainManager.dll for AppDomainManager hijacking, then uses remote JavaScript and obfuscated PowerShell to establish persistent C2 access. #APT37 #VeilShell

Keypoints

  • Initial access is via phishing zip attachments containing double-extension shortcut files (.pdf.lnk, .xlsx.lnk) that invoke PowerShell to extract embedded payloads.
  • Shortcut files contain embedded Base64 payloads (read from a fixed byte offset) which are decoded and written to disk as e.xlsx, d.exe.config, and DomainManager.dll.
  • Persistence is achieved by copying a legitimate ClickOnce binary (dfsvc.exe) to Startup as d.exe, dropping a matching d.exe.config that specifies a custom AppDomainManager to load DomainManager.dll.
  • DomainManager.dll sleeps, retrieves an obfuscated payload from a jumpshare URL, applies a Caesar cipher (-7) to decode JavaScript, and evaluates it to fetch and execute VeilShell.
  • VeilShell is an obfuscated PowerShell RAT that delays execution, establishes registry and Startup persistence (via mshta calling PowerShell), and communicates with C2 servers for file upload/download and task/registry manipulation.
  • Defensive evasion techniques include long sleep intervals, deferred execution until reboot, Base64 encoding, Caesar cipher obfuscation, and using legitimate system binaries and mshta to blend in.

MITRE Techniques

  • [T1204.001] User Execution: Malicious Link – Shortcut files (.lnk) are used as droppers to execute PowerShell and extract payloads (‘malicious shortcut files (.lnk) are used to drop and execute payloads’).
  • [T1566.001] Phishing: Spearphishing Attachment – Initial delivery via zip attachments in phishing emails (‘phishing emails where the initial payload would be a zip file attached to the email’).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell one-liners decode embedded Base64, write payloads, and implement the VeilShell backdoor (‘PowerShell-based backdoor that allows remote control of the victim’s system’).
  • [T1059.007] Command and Scripting Interpreter: JavaScript – DomainManager.dll decrypts and evaluates JavaScript fetched from a remote page to drive later stages (‘executes obfuscated JavaScript payloads from a remote C2 server’).
  • [T1574.014] Hijack Execution Flow: AppDomainManager – Attackers specify a custom AppDomainManager in d.exe.config to load DomainManager.dll early in process execution (‘AppDomainManager hijacking to maintain persistence’).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Files are dropped into the Startup folder and registry Run keys are used to persist PowerShell at login (‘drops malicious files into the Startup folder, ensuring persistence’).
  • [T1053] Scheduled Task/Job – VeilShell can create scheduled tasks to execute commands periodically (‘Creates a scheduled task on the victim’s machine to execute a command or script at a specified interval’).
  • [T1027] Obfuscated Files or Information – Payloads use Base64 encoding and a Caesar cipher to obscure stages (‘The use of Base64 encoding and Caesar ciphers added to the overall stealthiness’).
  • [T1132] Data Encoding – Embedded payloads are Base64-encoded within the .lnk and separated by delimiters for extraction (‘Each “file” is Base64 encoded and separated by a colon (:)’).
  • [T1070.004] Indicator Removal on Host: File Deletion – The campaign includes cleanup steps and process termination to reduce traces (‘The function finally calls Environment.Exit(0) to terminate the current process, cleaning up after itself’).
  • [T1112] Modify Registry – Registry modifications are used to ensure PowerShell runs at startup and to store persistence indicators (‘it adds a persistence mechanism to the Windows Registry’s startup key’).
  • [T1041] Exfiltration Over C2 Channel – VeilShell supports uploading files to the attacker via multipart POSTs to the control server (‘upload files to the control server using a multipart POST request’).
  • [T1560] Archive Collected Data – The backdoor can compress directories into .zip before exfiltration (‘Compresses the specified directory into a .zip archive and upload it to the attacker’s server’).
  • [T1033] System Owner/User Discovery – The backdoor gathers system/username details to fingerprint victims (‘System details are then retrieved and stored… used to uniquely identify the victim machine’).
  • [T1057] Process Discovery – The malware includes capabilities to inspect running processes as part of discovery (matrix lists Process Discovery).
  • [T1069/T1082] Permission Groups/System Information Discovery – The campaign performs system and permission discovery to inform attacker actions (matrix lists these discovery techniques).
  • [T1204.002] User Execution: Malicious File – Double-extension lure files (e.g., .pdf.lnk) trick users into executing the dropper (text references .pdf.lnk and .xlsx.lnk tactics).

Indicators of Compromise

  • [C2 IPs] Command and control servers – 172.93.181[.]249, 208.85.16[.]88
  • [URLs/Hosts] Remote payload hosting and fetch points – hxxps://jumpshare[.]com/view/load/crjl6ovj7HVGtuhdQrF1, hxxp://172.93.181[.]249/control/com.php
  • [File names] Dropped and malicious files – DomainManager.dll, d.exe.config, Report on NGO Income_edit.xlsx.lnk
  • [File hashes] Analyzed sample hashes – BEAF36022CE0BD16… (Report on NGO Income_edit.zip), 106C513F44D10E65… (DomainManager.dll), and 10 more hashes
  • [Shortcuts/Lures] Lure documents and shortcut samples – e.xlsx / e.pdf and their corresponding .lnk variants (e.g., Report on NGO Income_edit.xlsx.lnk)

The technical chain begins with a user executing a double-extension shortcut (.lnk) delivered inside a phishing zip; the .lnk invokes powershell.exe via path traversal and reads a fixed byte range (start 2903, length 64,744) to extract three Base64-encoded blobs separated by colons. The script decodes these blobs and writes e.xlsx to %TEMP%, and d.exe.config plus DomainManager.dll to the user Startup folder after copying the legitimate ClickOnce binary (dfsvc.exe) to Startup as d.exe, ensuring items load at next login rather than immediately.

At startup, d.exe reads d.exe.config which specifies a custom AppDomainManager class that causes the .NET runtime to load DomainManager.dll early; the DLL sleeps (10 minutes), issues an HTTPS GET to a jumpshare URL, extracts content between <pre> tags, applies a Caesar cipher (-7) to decrypt JavaScript, and evaluates it via Eval.JScriptEvaluate. The resulting JavaScript fetches a per-host text file from 208.85.16[.]88 and then evals a large PowerShell one-liner (VeilShell).

VeilShell delays execution, assembles a unique victim ID, and establishes persistence in the registry and Startup using mshta to launch PowerShell hidden. It implements a C2 loop contacting hxxp://172.93.181[.]249/control/com.php to pull commands and supports file listing/export (fileinfo), directory zipping and upload (dir), file upload (file), file download (down), registry edits (regedit), scheduled task creation (task), zip extraction (zip), rename and delete operations, and multipart chunked uploads/downloads with a 1MB buffer. Detection evasion techniques include appended encoded payloads inside .lnk, long sleep intervals, Caesar and Base64 obfuscation, delayed execution until reboot, and use of legitimate binaries and mshta to blend with normal activity.

Read more: https://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint