Businesses and organizations across all industries now prioritize cybersecurity as a top priority in an increasingly digital world. Following cyber threats and breaches, security executives are facing increasing liability issues, as reported in recent studies. In addition to highlighting the necessity of effective cybersecurity measures, the Securities and Exchange Commission (SEC) has been actively monitoring the activities of security leaders.
Mandiant, which has been tracking APT43 since 2018, noted that the threat group supports the mission of the Reconnaissance General Bureau, North Korea's primary external intelligence agency.
In terms of attribution indicators, APT43 shares infrastructure and tools with known North Korean operators and threat actors. Essentially, APT43 shares malware and tools with Lazarus.
Prior to 2021, the APT43 organization mostly targeted foreign policy and nuclear security challenges, but this changed in response to the global COVID-19 pandemic.
APT43 primarily targets manufacturing products including fuel, machinery, metals, transportation vehicles, and weaponry whose sale to North Korea has been banned in South Korea, the U.S., Japan, and Europe. In addition to this, the group attacks business services, education, research and think tanks focusing on geopolitical and nuclear policy and government bodies.
Spear phishing is one of the primary methods used by APT43 to compromise its targets. The group frequently fabricates plausible personas, impersonating important figures. Ones they have succeeded in compromising one such individual, the threat group proceeds into using the person’s contact lists to aim further targets with spear phishing.
In one such instance, exposed by Google, Archipelago (a subset of APT43) would send phishing emails where they portray themselves as a representative of a media outlet or think task asking the targeted victim for an interview. To view the questions, a link must be clicked, but doing so takes the victim to a phony Microsoft 365 or Google Drive login page. The victim is directed to a paper with questions after entering their credentials.
According to the Google report, Archipelago tends to interact with the victim for several days in order to build trust before sending the malicious link or file.
Another tactic used by Archipelago involves sending benign PDF files purportedly from a third party that alerts the recipient to fraudulent logins they should examine.
APT43 employs a variety of malware families and tools. Some of the public malware families used include Gh0st RAT, Quasar RAT, and Amadey. However, the threat group mostly uses a non-public malware called LATEOP or BabyShark, apparently developed by the group itself.
Here, we have listed some measures that could ensure protection against malicious APT43 attacks:
Moreover, professionals in the field of geopolitics and international politics are advised to be trained in detecting any approach from attackers or potential threat actors, posing as a journalist or a reporter. Careful identification and examination of such individuals approaching important figures must be taken into priority, prior to any exchange of information or intelligence.
The most recent threat activities conducted were primarily targeted at organizations in Colombia, involving sectors like “health, finance, law enforcement, immigration, and an agency in charge of peace negotiation in the country.”
Check Point researchers, who recently examined the Blind Eagle, also known as APT-C-36, noted the adversary and its advanced toolset that includes Meterpreter payloads, distributes through spear-phishing emails.
Blind Eagle’s phishing emails lure its victims over the false impression of fear and urgency. The email notifies its recipients that they have "obligaciones pendentes," or "outstanding obligations," with some letters informing them that their tax payments are forty-five days overdue.
The cleverly-crafted emails are being provided with a link, navigating users to a PDF file that appears to be hosted on DIAN’s website but actually installs malware to the targeted systems, effectively launching the infection cycle.
The BlackBerry researchers explain it further:
"The fake DIAN website page contains a button that encourages the victim to download a PDF to view what the site claims to be pending tax invoices," says the BlackBerry researchers. "Clicking the blue button initiates the download of a malicious file from the Discord content delivery network (CDN), which the attackers are abusing in this phishing scam."
"A malicious [remote access trojan] installed on a victim's machine enables the threat actor to connect to the infected endpoint any time they like, and to perform any operations they desire," they further add.
The researchers also noted that the threat actors utilize dynamic DNS services such as DuckDNS in order to take control of the compromised hosts.
Owing to the use of Spanish in its spear-phishing emails, Blind Eagle is believed to be a group of Spanish-speaking hackers. However, the headquarters from where the attacks are conducted and whether the attacks are carried out for espionage or financial gain are both currently undetermined.
"The modus operandi used has mostly stayed the same as the group's previous efforts – it is very simple, which may mean that this group is comfortable with its way of launching campaigns via phishing emails, and feels confident in using them because they continue to work," BlackBerry said.