Stratos Ally

APT37 Strikes Again: New Campaign Targets South Asia  

Picture of DarkSoul

DarkSoul

APT37 Strikes Again: New Campaign Targets South Asia  

The APT37 group, also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft, has been employing a backdoor called VeilShell in a hacking campaign dubbed SHROUDED # SLEEP. Their targets include Cambodia and other South Asian countries, and their tactics have been observed in recent cyberattacks. 

The group is believed to deliver the first stage payload in the form of a zip archive bearing a Windows Shortcut (LNK) file using the Spear Phishing email technique. The LNK file acts as a dropper and triggers the execution of Powershell code to decode the next stage payload. The attack leverages a harmless-looking document, a Microsoft Excel or a PDF document, that opens automatically to distract the user. Meanwhile, in the background, a configuration file (“d.exe.config”) and a malicious DLL (“DomainManager.dll”) file are written to the Windows startup folder. A legitimate executable file named “dfsvc.exe” is also copied to the same folder and renamed “d.exe”.  

The “DomainManager.dll” is executed when ”d.exe” is launched at startup, and the binary reads the accompanying ”d.exe.config” file located in the same startup folder. The DLL retrieves the Javascript code from a remote server, which further connects to a different server to download the VeilShell backdoor onto the victim host. Once the steps are completed, VeilShell can gather information about system files, compress files to upload them onto the C2 server, delete files, etc. 

Security Researchers Den Iuzvyk and Tim Peck said that the VeilShell backdoor allowed attackers to gain full control of the compromised host. The whole campaign demonstrates the sophistication of the hacker groups in leveraging complex exploits to gain control of the target hosts. It also indicates that this technique is a growing trend among threat actors, as evidenced by its recent use by the Earth Baxia group. 

more Related articles