Attacks with the new VeilShell remote access trojan have been launched against Cambodia and other countries across Southeast Asia as part of the SHROUDED#SLEEP campaign suspected to be led by North Korean state-sponsored threat operation APT37 — also known as InkySquid, ScarCruft, Ruby Sleet, Ricochet Chollima, RedEyes, and Reaper, reports The Hacker News.
Malicious spear-phishing emails may have been leveraged by APT37 to spread a ZIP archive with an LNK file, which when executed launches a PowerShell code containing a DLL file that facilitates the retrieval of VeilShell, according to a Securonix report, which also noted the "methodical" nature of the attack campaign. Aside from enabling file information collection and folder compression, VeilShell also allows file downloads, renaming, and removal, as well as ZIP archive extraction. "The [VeilShell] backdoor trojan allows the attacker full access to the compromised machine. Some features include data exfiltration, registry, and scheduled task creation or manipulation," said researchers.