Google’s Threat Analysis Group (TAG) released a report detailing cyber activities of a North Korean state-backed threat actor it tracks as Archipelago that has been targeting government and military personnel, think tanks, policy makers, academics, and researchers in South Korea and the United States since at least 2012.
The TAG team believes Archipelago is a subset of another North Korea-linked cyber-espionage group APT43, which, according to a recent Mandiant’s report, is a moderately-sophisticated threat actor that uses cybercrime to fund its espionage efforts. In past public reports some of this group's operations have been referred to as Kimsuky and Thallium.
Archipelago’s attack chains involve the use of phishing emails with malicious links that, when clicked, redirect the recipient to a fake login prompt designed to steal credentials.
“Archipelago invests time and effort to build rapport with targets, often corresponding with them by email over several days or weeks before finally sending a malicious link or file,” the report reads.
In one instance the threat actor posed as a journalist for a South Korean news agency and sent benign emails with an interview request to North Korea experts. When recipients replied expressing interest in an interview, the group continued the correspondence over several emails before finally sending a OneDrive link to a password-protected file that contained malware.
The group is also known to shift phishing tactics to make it more difficult for users and security solutions to detect attacks.
More recently, the threat actor has begun incorporate malware (for example, BabyShark) in their credential phishing campaigns, including efforts to evade detection and develop novel malware techniques. To protect their malware from AV scanning, the adversary commonly password-protects their malware and shares the password with recipients in a phishing email.
The group is known to host malicious payloads on Google Drive in the form of blank files or ISO optical disc images, and use malicious Chrome extensions that steal credentials and browser cookies in combination with phishing and malware.
“More recently, Archipelago has attempted work-arounds to install a new malicious Chrome extension known publicly as SHARPEXT. If successfully installed on a user system, SHARPEXT can parse emails from active Gmail or AOL Mail tabs and exfiltrate them to an attacker-controlled system. As a result of improved security in the Chrome extension ecosystem, ARCHIPELAGO must now complete several additional steps to install the extension, including first successfully installing malware on the user system and then overwriting the Chrome Preferences and Secure Preferences files to allow the extension to run,” the TAG team noted.
