SHROUDED#SLEEP: A Deep Dive into North Korea’s Ongoing Campaign Against Southeast Asia
Contents
By Securonix Threat Research: Den Iuzvyk, Tim Peck
Oct 3, 2024
tldr:
North Korea has been identified delivering VeilShell, a stealthy PowerShell-based malware delivered using a series of advanced evasion techniques targeting victims in Southeast Asia.
The Securonix Threat Research team has uncovered an ongoing campaign, identified as SHROUDED#SLEEP, likely attributed to North Korea’s APT37 (also known as Reaper or Group123). This advanced persistent threat group is believed to be based in North Korea and is delivering stealthy malware to targets across Southeast Asian countries. APT37, unlike other APT groups from the region such as Kimsuky, has a long history of targeting countries outside of the expected South Korean targets. This includes a number of recent campaigns against Southeast Asia countries.
This is not the first time North Korea has targeted this particular region. Data from earlier campaigns show malware similar to that of this campaign. However, it appears the threat actors have retooled and …
Oct 3, 2024
tldr:
North Korea has been identified delivering VeilShell, a stealthy PowerShell-based malware delivered using a series of advanced evasion techniques targeting victims in Southeast Asia.
The Securonix Threat Research team has uncovered an ongoing campaign, identified as SHROUDED#SLEEP, likely attributed to North Korea’s APT37 (also known as Reaper or Group123). This advanced persistent threat group is believed to be based in North Korea and is delivering stealthy malware to targets across Southeast Asian countries. APT37, unlike other APT groups from the region such as Kimsuky, has a long history of targeting countries outside of the expected South Korean targets. This includes a number of recent campaigns against Southeast Asia countries.
This is not the first time North Korea has targeted this particular region. Data from earlier campaigns show malware similar to that of this campaign. However, it appears the threat actors have retooled and …
IoC
9D0807210B0615870545A18AB8EAE8CECF324E89AB8D3B39A461D45CAB9EF957
172.93.181.249
208.85.16.88
http://172.93.181.249
https://jumpshare.com/view/load/crjl6ovj7HVGtuhdQrF1
https://jumpshare.com/viewer/load/zB564bxDA3yG8PnFR90I
https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/
7E9F91F0CFE3769DF30608A88091EE19BC4CF52E8136157E4E0A5B6530D510EC
4E8B6DECCDFC259B2F77573AEF391953ED587930077B4EDB276DBBB679EF350B
50BF6FDBFF9BFC1702632EAC919DC14C09AF440F5978A162E17B468081AFBB43
AF74D416B65217D0B15163E7B3FD5D0702D65F88B260C269C128739E7E7A4C4D
http://208.85.16.88
6B95BC32843A55DA1F8186AEC06C0D872CAC13D9DF6D87114C5F8B7277C72A4F
http://172.93.181.249/control/com.php
https://3gstudent.github.io/Use-AppDomainManager-to-maintain-persistence
913830666DD46E96E5ECBECC71E686E3C78D257EC7F5A0D0A451663251715800
106C513F44D10E6540E61AB98891AEE7CE1A9861F401EEE2389894D5A9CA96EF
BEAF36022CE0BD16CAAEE0EBFA2823DE4C46E32D7F35E793AF4E1538E705379F
http://172.93.181.249/control/html/1.html
http://208.85.16.88/wy/[computername].txt
55235BC9B0CB8A1BEA32E0A8E816E9E7F5150B9E2EEB564EF4E18BE23CA58434
CFBD704CAB3A8EDD64F8BF89DA7E352ADF92BD187B3A7E4D0634A2DC764262B5
172.93.181.249
208.85.16.88
http://172.93.181.249
https://jumpshare.com/view/load/crjl6ovj7HVGtuhdQrF1
https://jumpshare.com/viewer/load/zB564bxDA3yG8PnFR90I
https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/
7E9F91F0CFE3769DF30608A88091EE19BC4CF52E8136157E4E0A5B6530D510EC
4E8B6DECCDFC259B2F77573AEF391953ED587930077B4EDB276DBBB679EF350B
50BF6FDBFF9BFC1702632EAC919DC14C09AF440F5978A162E17B468081AFBB43
AF74D416B65217D0B15163E7B3FD5D0702D65F88B260C269C128739E7E7A4C4D
http://208.85.16.88
6B95BC32843A55DA1F8186AEC06C0D872CAC13D9DF6D87114C5F8B7277C72A4F
http://172.93.181.249/control/com.php
https://3gstudent.github.io/Use-AppDomainManager-to-maintain-persistence
913830666DD46E96E5ECBECC71E686E3C78D257EC7F5A0D0A451663251715800
106C513F44D10E6540E61AB98891AEE7CE1A9861F401EEE2389894D5A9CA96EF
BEAF36022CE0BD16CAAEE0EBFA2823DE4C46E32D7F35E793AF4E1538E705379F
http://172.93.181.249/control/html/1.html
http://208.85.16.88/wy/[computername].txt
55235BC9B0CB8A1BEA32E0A8E816E9E7F5150B9E2EEB564EF4E18BE23CA58434
CFBD704CAB3A8EDD64F8BF89DA7E352ADF92BD187B3A7E4D0634A2DC764262B5