In a new revelation, North Korean military-linked hackers posed as journalists to target North Korean policy experts. The research from Google’s Threat Analysis Group (TAG) follows Mandiant’s analysis from last week. APT43, a group of alleged North Korean government hackers, has spent years espionage South Korean and U.S. governments and businesses, according to Mandiant.
Since 2012, TAG researchers have tracked a subset of APT43 activity under the label “Archipelago,” according to a Wednesday blog post. The group has targeted “experts in North Korea policy problems like sanctions, human rights, and non-proliferation issues,” according to their staff.
The researchers said they employ phishing emails and malicious Chrome extensions to target government and military people, think tanks, policymakers, academics, and researchers in South Korea, the US, and overseas.
“ARCHIPELAGO regularly sends phishing emails where they act as a media outlet or think tank and invite North Korea experts to participate in a media interview or request for information (RFI),” they claimed.
TAG researchers found phishing emails that directed victims to interview questions via clicking a link. Hackers track keystrokes as victims enter their Google password on a phishing site.
The password opens a Google doc containing questions and other information. Before distributing the malicious link or data, the hackers spend days or weeks emailing victims to gain trust.
The researchers saw a hacker posing as a South Korean news agency journalist send many innocent emails concerning North Korean experts.
The hackers emailed a OneDrive link to a password-protected malware file after numerous emails. TAG detected links to “browser-in-the-browser” phishing URLs, which trick victims into opening a phony browser window with a login request.
Victims enter their username and password, thinking it’s an actual login page. The researchers found that cyber actors have refined their phishing tactics from simple Google account security alert emails to more complex ones.
The organization sent emails from the State Department Federal Credit Union in 2022 warning consumers of dangerous Google Account logins. TAG stated the organization evades antivirus software by password-guarding its malware in files and distributing the password to victims in phishing emails.
Archipelago continues to deliver malware through cybercriminal methods. ARCHIPELAGO utilized ISO files to distribute malware in a recent phishing email linked to an ISO file labeled “Interview with Voice of America.iso.”
A password-protected ZIP file in the ISO file deployed BabyShark malware when decrypted. ARCHIPELAGO’s frequent exploitation of Chrome extensions pushed Google to make major modifications.
Since 2018, the organization has stolen usernames, passwords, and cookies via malicious Chrome extensions. Hackers send users phishing emails with links to documents urging them to install a malicious Chrome extension.
ARCHIPELAGO has lately attempted workarounds to install SHARPEXT, a new malicious Chrome extension. “SHARPEXT can parse emails from active Gmail or AOL Mail tabs and exfiltrate them to an attacker-controlled system if installed on a user PC,” TAG researchers said.
“ARCHIPELAGO must now install malware on the user system and overwrite the Chrome Preferences and Secure Preferences files to operate the extension due to Chrome extension ecosystem security improvements.”
Conclusion
A North Korean government-backed threat actor has attacked South Korean and U.S. government and military officials, think tanks, policymakers, academics, and researchers. Google’s Threat Analysis Group (TAG) calls the cluster ARCHIPELAGO, a subset of Mandiant’s APT43. The tech giant “saw the group target individuals with expertise in North Korea policy problems such as sanctions, human rights, and non-proliferation issues” since 2012. APT43 and ARCHIPELAGO’s aims match North Korea’s Reconnaissance General Bureau (RGB), the principal foreign intelligence service, implying ties to Kimsuky. ARCHIPELAGO uses phishing emails with malicious links that redirect to bogus login pages to steal passwords.
These messages claim to be from media outlets and think tanks and offer North Korean interviews or information. “ARCHIPELAGO invests time and effort to create a connection with targets, typically communicating with them by email over several days or weeks before finally sending a malicious link or file,” TAG added. The threat actor uses a browser-in-the-browser (BitB) to display rogue login sites in a window to steal credentials. The hostile group hosted malware payloads like BabyShark on Google Drive as blank files or ISO optical disc images in phishing communications that appeared as Google account security alerts.
