Google’s TAG (Threat Analysis Group) released defensive measures that followed to protect users from the infamous North Korean government-backed APT group attacks.
After Mendiant’s recent analysis of APT43, Google’s TAG has been sharing how they effectively protect the users, and the APT43 activities have been tacking underneath the name of the ARCHIPELAGO operation since 2012.
APT 43 targets the Google and non-Google users’ accounts belonging to government and military officials, policymakers, and researchers in U.S. and outside of the US.
To keep the users safe and secure their accounts, Google keeps adding malicious websites, domains, and IOCs to its Safe Browsing
and sending alerts to the targeted users’ emails about the APT 43 activities to ensure the user’s security from further attacks and exploitation.
ARCHIPELAGO Activities
Google found that the Threat actors often send sophisticated phishing emails that mimic a media outlet to prompt receipt to check the interview questions or request information.
Once the user clicks the links, it predicts a phishing site masquerading as a login prompt. The phishing page records the keystroke when users enter the login credentials and eventually sends them to the attackers who control the URL.
Soon after victims enter the password, it redirects to Google Drive, where they can find the Benin page with the appropriate information about the interview questions.
To make a highly effective and legitimately lookalike phishing page, ARCHIPELAGO spent several days creating a page before sending it to the target.
“In one case, the group posed as a journalist for a South Korean news agency and sent benign emails with an interview request to North Korean experts.” Google said.
To make the approach more legitimate, Threat actors send several emails to gain the trust before dropping malware via sending a OneDrive link to a password-protected file attachment.
Browser-in-the-Browser
In another scenario, Google’s TAG found a link leading to a phishing page containing a browser-in-the-browser, A fake browser window rendered in the original browser.
Fake browsers have an exact login page, a Google account, designed to prompt users to enter the login credentials.
Upgraded Phishing Tactics
As ARCHIPELAGO, old phishing techniques are getting less success rate. They keep experimenting the new tactics that might be more difficult to analyze the malware and catch by the security controls.
In a recently identified phishing campaign, threat actors sent a phishing email with a link to a PDF file hosted in OneDrive.
“The PDF claimed to be a message from the State Department Federal Credit Union notifying customers they detected malicious logins from their Google Account and that the customer should click the link in the PDF to verify activity from their Gmail account.”
Once the victims click on it, it simply redirects to the phishing page; also, to evade detection, attackers place the phishing link inside a benign PDF hosted on a legitimate cloud hosting service.
Threat Actor’s Tactics with Malware
TAG’s researchers found the ARCHIPELAGO actors recently focusing on malware development operations and added features such as evade detection and other sophisticated malware techniques.
To prevent AV detection, Actors deploy the malware via password-protected files, and the password used to be shared via phishing email.
Attackers also use some of the other novel techniques as follows.
Encoding malware payloads and commands in Drive file names
Malware packaged in ISO files
Malicious Chrome Extensions
Google took action to disrupt ARCHIPELAGO’s use of Drive file names to encode malware payloads and commands. The group has since discontinued their use of this technique on Drive. Google says.