In the recent times hackers have been threat to organizations all over the world however these hackers claim to come from different regions and the North Korean hackers have been in news for the recent attack links to them which is known as undocument backdoor and remote access Trojan(RAT) called Veilshell. This is specifically built for targeting Southeast Asian countries to claim dominance in the Asian region.
Research reveals that remote access Trojan have been active since 2012, and they have been collectively assessed by North Korea’s Ministry of State Security (MSS); however, the RAT has key malware in its toolbox, which was developed by some aligned groups to covert intelligence gathering. The RAT is delivered to the target in Zip archive carrying a window shortcut (LNK) file, and no-one has been able to detect how the first stage of this veilshell is loaded; however, it is suspected that it involves spear-phishing emails, which can attract users .
Whenever the machine is compromised, the veilshell backdoor gives the attacker full access, According to the report shared on Hacker News, it captures data exfiltration, scheduled task creation, or manipulation, which can be dangerous to organizations with large customer base if, when considering this attack in a business environment, North Koreans have their target. When LNK file is launched, it quickly triggers and decodes the next stage, and lure document, such as a Microsoft Excel or PDF file, is used to distract the user while a configuration file and a malicious DLL file are secretly written to the Windows startup folder.
In the same folder, a legitimate executable called “dfsvc.exe” associated with Microsoft .NET Framework’s ClickOnce technology is also copied, but it is renamed as “d.exe.” The attackers utilize a technique called AppDomainManager injection to execute DomainManager.dll when “d.exe” is launched at startup and the binary reads the accompanying “d.exe.config” file in the same startup folder.
This attack method has been used by the China-aligned Earth Baxia actor and is gaining traction among threat actors as an alternative to DLL side-loading. The accompanying DLL file acts as a loader to retrieve JavaScript code from a remote server, which then connects to another server to obtain the VeilShell backdoor.
VeilShell is a PowerShell-based malware that contacts a command-and-control (C2) server to await further instructions. It can gather information about files, compress specific folders into ZIP archives and upload them back to the C2 server, download files from specified URLs, rename and delete files, and extract ZIP archives.
In conclusion,
The new veilshell backdoor is more dangerous in the sense that the attackers are patient and allow each stage of the attack to feature a long sleep time to avoid being noticed by the target; however, the attack is not launched on till the next system reboot.
More information can be obtain from https://thehackernews.com/2024/10/north-korean-hackers-using-new.html
Interesting post! Cybersecurity threats, particularly those backed by state actors, are always evolving. Hackers’ strategies are constantly evolving, with lengthy lags between steps to avoid detection. The use of custom tools like VeilShell demonstrates that cyber espionage tactics are becoming more sophisticated.
According to your conclusion, the infection remains dormant unless specific conditions are met. This is problematic because it allows it to evade all standard security measures. The risks posed by these advanced tactics are critical, necessitating real-time monitoring and endpoint security to protect your system from such covert attacks.
Yes John, you are right; however, like the saying goes, ‘Knowledge is power.’ North Koreans know what other Asian countries are yet to know, so they have the upper hand to dormant the region with the knowledge of veilshell backdoor to gather intelligent information and it in their favor.
Great post!
Well, the VeilShell backdoor reveals the rise of North Korean cyber threats, targeting Southeast Asian countries and a stealthy, sophisticated approach. This shows the urgent need for cyber security measures, including advanced detection systems and regular employees training. As threats become more sophisticated, organizations must be more alert and adaptive to protect against targeted attacks.
Great post!
Well, the VeilShell backdoor reveals the rise of North Korean cyber threats, targeting Southeast Asian countries and a stealthy, sophisticated approach. This shows the urgent need for cyber security measures, including advanced detection systems and regular employees training. As threats become more sophisticated, organizations must be more alert and adaptive to protect against targeted attacks.
i agree with you and it means that North Korean have taken another approach in winning wars, Imagine if they can systemically attack countries by making their computerized weapon inactive at the point of attack and also get secret intelligence gathering about their intended opponent by using the veilshell backdoor. i feel that countries need to start integrating cybersecurity in every part of the interface in the web space to avoid excessive damage to properties and economics.
In future, i have a feeling that Countries without adequate cybersecurity implementation/awareness in all aspects of their arm might be in danger due to attack of veilshell backdoor
Great post!
Well, the VeilShell backdoor reveals the rise of North Korean cyber threats, targeting Southeast Asian countries and a stealthy, sophisticated approach. This shows the urgent need for cyber security measures, including advanced detection systems and regular employees training. As threats become more sophisticated, organizations must be more alert and adaptive to protect against targeted attacks.
Great piece George! I believe as we get more reliant on the internet and computers. It is super important that we use them securely and responsibly. It takes just a little mistake to get your systems compromised for whatever reason it may be, either due to a lack of proper security implementation or just some error from a user. It is super important to implement the right and necessary precautionary security measures as well as educate your users extensively on phishing and how to avoid them. In addition to training users, this article also highlights some important guidelines on some best industry practices for securing your systems.
https://www.ekransystem.com/en/blog/best-cyber-security-practices
@Mohammed,i feel that earlier we understood that security cannot be totally complete without the user-level extensive awareness on how to secure the system hence, it is very important to train user periodically to avoid system breach.
Great post George! It’s alarming how these attacks have become, especially with backdoor access like VeilShell that allow attackers to patiently wait before striking. The fact that no one has figured out exactly how the first stage is loaded makes it even more concerning. With the rise in spear-phishing and the use of everyday tools like Excel or PDFs to trick users, it’s clear that both individuals and organizations need to take better security measures to protect themselves. Cybersecurity is definitely more crucial than ever, and awareness like this is key to staying ahead of these evolving threats
Cynthia, thank you for comment and you are absolutely correct about the awareness alert and it is wakeup call cybersecurity professionals too.
Informative post, George! I was reading up on this just the other way and found it eye-opening to see the various strategies hackers use to gain access to other systems. The news post I was reading involved using backdoor access to leverage job-themed phishing lures to target prospective victims on LinkedIn using well-designed and professional fake accounts to deliver malware via PDF files. As soon as the user downloads and opens the file, the attacker now has gained access to their system and information. What was more concerning was that such phishing schemes were targeted towards employees in higher positions. This would allow attackers to gain all information that may not even be available to other employees working within the company. Such cases highlight the importance of strong security measures and standards that must be implemented and put to practice in any workplace. Thanks for this post, George!
Hello George, your discussion post covered a very hot topic, and I was interested throughout the whole post. It was very well done. In particular, one aspect that caught my attention when I was reading your findings was the hacker’s method of implementing Veilshell, which was a new backdoor RAT. Specifically, the process in which Veilshell was delivered really stood out because it was delivered via a ZIP archive that contained an LNK file, which triggers the next steps of distracting users, while a configuration file and DLL file are written within the Windows startup folder. Furthermore, after the user’s machine is compromised, the RAT allows full access to the attacker, which in the use cases that were provided becomes very malicious. Another interesting factor was that the attackers injected a DomainManager to execute commands at a system startup, which would retrieve Javascript code from remote servers and load it into the Veilshell backdoor. Since the malware can utilize long sleep cycles, we have to be more cautious regarding threat detection and prevention.
Hello George, your discussion post covered a very hot topic, and I was interested throughout the whole post. It was very well done. In particular, one aspect that caught my attention when I was reading your findings was the hacker’s method of implementing Veilshell, which was a new backdoor RAT. Specifically, the process in which Veilshell was delivered really stood out because it was delivered via a ZIP archive that contained an LNK file, which triggers the next steps of distracting users, while a configuration file and DLL file are written within the Windows startup folder. Furthermore, after the user’s machine is compromised, the RAT allows full access to the attacker, which in the use cases that were provided becomes very malicious. Another interesting factor was that the attackers injected a DomainManager to execute commands at a system startup, which would retrieve Javascript code from remote servers and load it into the Veilshell backdoor. Since the malware can utilize long sleep cycles, we have to be more cautious regarding threat detection and prevention.
Excellent post-George! The fact that Southeast Asian nations are the target of this attack is notable. It looks like North Korean hackers are making a significant effort to prove their power in the area. Organizations there need to use extreme caution, particularly in the context of these types of attacks funded by the state. This demonstrates the increased ability and power of North Korean hackers. VeilShell’s thoughtful, slower approach just works to highlight their lack of hurry in waiting for the ideal opportunity to present itself. They are now playing the long game; it is no longer about fast, clear attacks.