PowerShell-based malware is a form of fileless malware that exploits PowerShell to execute malicious scripts directly in memory which helps in evading AV solution detection methods.
Attackers favor this approach due to PowerShell’s deep integration with Windows, which allows them to execute commands without raising alarms.
The Securonix Threat Research team recently identified that North Korean hackers are actively employing PowerShell-based malware with serious evasion techniques.
North Korean Hackers & PowerShell-Based Malware
The ongoing cyber campaign has been dubbed “SHROUDED#SLEEP,” and this new campaign has been directed by North Korea’s APT group “APT37” (aka “Reaper” and “Group123”).
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
This group primarily targets “Southeast Asian countries,” with “Cambodia” being the main focus.
The attack begins via “phishing emails” that contain malicious “zip files” with deceptive shortcut (“.lnk”) files that appear as “PDFs” or “Excel” documents.
These shortcuts trigger a sophisticated “PowerShell-based” attack chain that extracts three payloads:-
- A decoy document (“e.xlsx”).
- A configuration file (“d.exe.config”).
- A malicious DLL (“DomainManager.dll”).
The final payload is a custom PowerShell backdoor named “VeilShell,” which provides RAT capabilities that enable threat actors to gain complete control over “compromised systems.”
The malware employs several evasion techniques like “extended sleep times” and “AppDomainManager hijacking for persistence,” while using the “.NET framework’s dfsvc.exe” as a legitimate cover, reads the report.
The attack chain tops in the malware communicating with a command-and-control server through HTTPS (specifically at “jumpshare[.]com”), using “TLS 1.2 encryption” and executing JavaScript code retrieved from the server, all while ‘maintaining stealth’ through “strategic delays” and “cleanup procedures.”
Upon execution, this dropper leveraged “PowerShell commands” to deploy multiple attack stages like “a custom DLL named DomainManager.dll” via AppDomainManager hijacking technique.
The DLL is executed via a renamed legitimate executable (“d.exe”), and it’s been implemented a “Caesar Cipher” (“-7 shift”) to decode and execute remote JavaScript from a C2 server at hxxp://208.85.16[.]88.
This JavaScript created a “WScript.Shell” object to interact with the Windows environment and deployed the final payload.
The RAT established persistence through Windows Registry modifications, communicated with a “C2 server” at “hxxp://172.93.181[.]249” via “HTTP GET/POST requests,” and featured a “1MB buffer size for file operations.”
VeilShell’s capabilities offer “file upload/download functionality,” “registry modifications,” “scheduled task creation,” and “system information gathering (hostname and username) for victim identification.”
To evade antivirus detection, the malware employed strategic delays (“64-second sleep intervals”) and avoided direct command execution.
To maintain long-term unauthorized access while remaining undetected on compromised systems, this multi-staged attack utilized a combination of legitimate Windows tools and stealthy techniques like “T1204.001” (‘Shortcut File Dropper’), “T1574.014” (‘AppDomainManager Hijacking’), “T1059.007” (‘Remote JavaScript’), and “T1059.001” (‘PowerShell Backdoor).
Recommendations
Here below we have mentioned all the recommendations:-
- Avoid unsolicited file downloads (zip, rar, pdf).
- Treat external download links as risky.
- Monitor %APPDATA%Startup for malware staging.
- Watch for persistence in the Registry and scheduled tasks.
- Use endpoint logging (Sysmon, PowerShell).
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration