Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia
North Korean Cyberespionage Group Seen Spying on Cambodia
APT37 Sent Phishing Emails in Local Language to Drop Backdoor TrojanNorth Korean cyberespionage group APT 37 has been spying on Cambodia, sending spear-phishing emails in the local Khmer language to trick Internet users into downloading malicious files. Hackers then introduce a highly versatile PowerShell-based backdoor called VeilShell that helps them control compromised systems, according to cybersecurity firm Securonix.
See Also: 2024 Fraud Insights Report
APT 37 has been targeting countries in Southeast Asia for years to gather information for the Kim Jong Un regime. The latest phishing campaign comes amid heightened tensions over the rise in North Korean ballistic missile testing in the region. Cambodia and North Korea have maintained diplomatic relations since 1964, but ASEAN - a 10-state Asian coalition that includes Cambodia - in July denounced the missile testing.
Securonix researchers who analyzed phishing emails sent by the North Korean group in the campaign called "Shrouded#Sleep," said APT37 capitalized on local themes and areas of interest to job seekers, such as details of annual income in Cambodia's education, health, agriculture and other sectors.
The group attached Excel documents in zip archives as lures, using shortcut files with the .lnk extension but named pdf[.]lnk or .xlsx[.]lnk to fool recipients into thinking they were opening a legitimate PDF or spreadsheet document. The group further disguised the documents with Excel or PDF icons showing on the shortcut files.
Securonix researchers said opening the malicious shortcut file triggers a chain of events. The shortcut file drops three Base64-encoded payloads that are decoded via PowerShell and written to disk. These files include an actual lure file document, a configuration file and a malicious DLL file named DomainManager.
Researchers found that the DLL file acts as simple loader malware that checks for code in a remote file hosting site to download and execute the next stage of attack. In this stage, the malware uses JavaScript within the .NET environment to execute a JavaScript code which then sends the infected system's hostname to a remote server and then downloads and executes code received from the same C2 server.
When executed, the code introduces the VeilShell script, which serves as a backdoor remote access Trojan to give attackers the ability to remotely exfiltrate stored information and control infected systems.
APT37 did not include functionality within the malware to directly execute system commands from the backdoor, possibly to reduce the overall footprint of the code and the likelihood of antivirus engines detecting the malware. The hackers could, instead, execute system commands by using scheduled tasks or through the registry, researchers said.