North Korea ‘Shrouded Sleep’ malware campaign targeting Cambodia, other Southeast Asian nations

North Korean government hackers have targeted several Southeast Asian countries — even perceived allies like Cambodia — with a malware campaign over the last year designed to create backdoors into systems at important organizations. 

Cybersecurity experts at Securonix published a 22-page examination of a campaign they call “Shrouded Sleep,”  which they attributed to APT37. Allegedly housed within North Korea’s Ministry of State Security, the group is one of the country’s most prolific hacking operations.

“Cambodia appears to be the primary target for this campaign, however, it could extend into other Southeast Asian countries. This is based on the language and countries referenced within the phishing lures, and geographical telemetry data based on related identified samples,” they said.

The victim organizations, which Securonix did not name or describe in detail, are inundated with phishing emails with malware attached in a zip file. The attached backdoor, which they named VeilShell, “allows the attacker full access to the compromised machine. 

“Some features include data exfiltration, registry, and scheduled task creation or manipulation,” they said. 

“Overall, the threat actors were quite patient and methodical. Each stage of the attack features very long sleep times in an effort to avoid traditional heuristic detections. Once VeilShell is deployed it doesn’t actually execute until the next system reboot.”

The files within the zip are made to look legitimate because they ended in .pdf.lnk, or .xlsx.lnk and typically had fake shortcut icons to match the extension.

The researchers said each shortcut file they analyzed contained a lure document — an Excel file in one case and a PDF in another — that was opened to distract the user while the malware was dropped in the background. 

Securonix shared one of the lure documents, which was written in Khmer, the national language of Cambodia. 

The document relates income across economic sectors, the researchers said. “The document is rather uninteresting and is not malicious in any way. Its sole purpose is to present something legitimate to the user. This way the intended action (clicking an Excel file) produces an expected result,” they said.

Another lure document was written in English but contained information related to Cambodia.

Once the backdoor is in place, the attacker is able to send commands remotely and export data about specific files, upload other files and more. 

The researchers did not have more information on what the hackers were looking for or why they would be targeting Cambodia — one of a handful of countries with an embassy in North Korea. The two countries have long standing historical ties and North Korea’s embassy is across the street from the home of former Cambodian Prime Minister Hun Sen.

Securonix researchers said the campaign was another example of North Korea’s sophistication and ability to deploy stealthy tools in their espionage campaigns across Asia.

APT37 was already implicated in another set of attacks in January that targeted media organizations and high-profile academics. Securonix reported last year on a campaign using U.S. military job-recruitment documents to lure South Koreans into downloading malicious content.