Google’s Threat Analysis Group (TAG) has published a report detailing its efforts to combat a North Korean threat actor called APT43, its targets, and techniques, as well as explaining the efforts it put into cracking down on this hacking collective.

In the report, TAG refers to APT43 as ARCHIPELAGO. The group has been active since 2012, targeting individuals with expertise in North Korean policy issues such as sanctions, human rights, and non-proliferation issues, it was said. 

These individuals could be government and military staff, members of various think tanks, policymakers, academics, and researchers. Most of the time they’re of South Korean nationality, but it’s not exclusive.

Notifying the victims

ARCHIPELAGO would target these people’s both Google and non-Google accounts. They deploy different tactics, all with the goal of stealing user credentials and installing infostealers, backdoors, or other malware, onto target endpoints. 

Most of the time, they’d try phishing. Sometimes, the email back-and-forth could go on for days, as the threat actor impersonates a familiar individual or organization and establishes enough trust to be able to successfully deliver malware via email attachments. 

Google said it combats this by adding newly discovered malicious websites and domains to Safe Browsing, sending people alerts to let them know they were being targeted, and inviting them to enroll in Google’s Advanced Protection Program. 

Hackers would also try and host benign PDF files with links to malware on Google Drive, thinking that that way they might be able to evade detection by antivirus programs. They would also encode malicious payloads in the filenames of files hosted on Drive, while the files themselves were blank.

“Google took action to disrupt ARCHIPELAGO’s use of Drive file names to encode malware payloads and commands. The group has since discontinued their use of this technique on Drive,” Google said.

Finally, they were building malicious Chrome extensions which allowed them to steal login credentials and browser cookies. This prompted Google to improve the security in the Chrome extension ecosystem, which resulted in threat actors now needing to first compromise the endpoint first, and overwrite Chrome Preferences and Secure Preference to get the malicious extensions to run.

Go to Source

Follow us on FacebookTwitter and InstagramWe are growing. Join our 6,000+ followers and us.

At TechRookies.com will strive to help turn Tech Rookies into Pros!

Want more articles click Here!

Deals on Homepage!

M1 Finance is a highly recommended brokerage start investing today here!

WeBull. LIMITED TIME OFFER: Get 3 free stocks valued up to $6300 by opening & funding a #Webull brokerage account! “>Get started >Thanks for visiting!

Subscribe to our newsletters. Here! On the homepage

Tech Rookies Music Here!

Disclaimer: I get commissions for purchases made through links in this post at no charge to you and thanks for supporting Tech Rookies.

Disclosure: Links contain affiliates. When you buy through one of our links we will receive a commission. This is at no cost to you. Thank you for supporting Teachrookies.com

Disclaimer: This article is for information purposes and should not be considered professional investment advice. It contains some forward-looking statements that should not be taken as indicators of future performance. Every investor has a different risk profile and goals. All investments have risks. Always do your own research or hire an expert before investing and trading.