A North Korean government-backed hacking crew, tracked as ARCHIPELAGO, is targeting academics, government and military personnel, policymakers, researchers, and think tanks in South Korea and the U.S. According to Google researchers, it has launched cyberattacks against accounts belonging to individuals with expertise in North Korea policies such as sanctions, human rights, and non-proliferation issues.
Know about the group
Active since 2012, ARCHIPELAGO, a subset of another threat group tracked as APT43, has been evolving its tactics from fairly basic credential phishing to advanced and novel techniques such as custom Chrome extensions and using Google Drive for C2.
Initial attack tactics
The group builds a rapport with targets and corresponds with them by email over several days or weeks before finally sending a malicious link or file.
- These messages purport from media outlets and think tanks and lure recipients into participating in media interviews or providing additional information about North Korea.
- When clicked, the phishing page redirects recipients to fake login pages, designed to steal entered credentials using keystrokes. The harvested credentials are exfiltrated to an attacker-controlled URL.
Variations in phishing emails
In one attack, the group sent a phishing email containing a OneDrive link to a password-protected file embedded with malware.
- Additionally, it utilized the Browser-in-the-Browser (BitB) technique to display rogue login pages inside an actual window to steal credentials.
- Moreover, some phishing messages posed as Google account security alerts to trick victims.
Shift towards advanced and novel techniques
Over time, ARCHIPELAGO started using legitimate cloud storage services such as Google Drive and OneDrive to host benign PDFs with phishing links inside to evade detection by antivirus services.
- The group delivered password-protected malware payloads, such as BabyShark, via a phishing email or Drive using ISO files and shared the password with recipients.
- Furthermore, it utilized Drive file names for C2 and placed encoded commands in file names.
- Most notably, ARCHIPELAGO used fraudulent Google Chrome extensions in combination with phishing and malware to harvest sensitive data.
- It attempted to install a new malicious Chrome extension, known as SHARPEXT, that can parse emails from active Gmail or AOL Mail tabs and send them to an attacker-controlled C2.
Wrapping up
Google warns against ARCHIPELAGO’s techniques and its evolution over time to evade detection. The group has focused on conducting traditional credential phishing campaigns and experimented with new techniques simultaneously. Users are recommended to prioritize their security before establishing any communication in emails.