Another year, another North Korean malware-spreading, crypto-stealing gang named • The Register

Google Cloud’s recently acquired security outfit Mandiant has named a new nasty from North Korea: a cybercriminal gang called APT43 and is accusing it of a five-year rampage.

“Mandiant assesses with high confidence that APT43 is a moderately sophisticated cyber operator that supports the interests of the North Korean regime,” said a report on the gang released Wednesday.

The report observes that APT43’s activities have sometimes been attributed to actors known as “Thallium” or “Kimsuky” — such as the 2021 attack on South Korea’s nuclear research agency.

That raid is typical of APT43’s activities. That’s in line with the group’s goal of strategic intelligence gathering to keep North Korea informed of its enemies’ activities and capabilities.

APT43 mostly uses spear-phishing and fake websites to gather information, avoiding zero-day vulnerabilities. Once it compromises a target, the gang’s favorite tool is LATEOP – a backdoor based on VisualBasic scripting. It has also used malware such as gh0st RAT, QUASARRAT and AMADE to run its business. The gang does not appear to be a notable malware innovator, but Mandian has observed “a steady evolution and expansion of the operation’s malware library over time.”

As North Korea’s needs change, so do APT43’s activities and goals. Before 2020, it targeted diplomatic organizations and think tanks that considered strategic issues surrounding the Korean Peninsula. It then shifted focus to healthcare organizations, in what Mandiant believes was a desire to gather information related to COVID-19.

These shifts have seen the group attack different types of targets. But Mandiant’s analysts believe it has an overall purpose of “activating North Korea’s weapons program, including: gathering information about international negotiations, sanctions policy and other countries’ foreign relations and domestic policies as these may affect North Korea’s nuclear ambitions.”

APT43 funds its own activities by stealing and laundering cryptocurrency, but these robberies are not its purpose. North Korea is actually supporting another gang – APT38 – to squeeze cryptocurrency.

But the gangs do not operate in isolation. Mandian claims “APT43 has shared infrastructure and tools with known North Korean operators, highlighting its role and mission alignment within a broader state-sponsored cyber apparatus.”

Interestingly, Mandiant believes that APT43 may also have a role in policing some of that apparatus.

“We have some indications that APT43 is also conducting internal surveillance of other North Korean operations, including non-cyber activities,” the report said. “APT43 has compromised individual spy actors, including those within its own operations. However, it is unclear whether this is intentional for self-policing purposes or accidental and indicates poor operational security.”

“Mandiant assesses with moderate confidence that APT43 is attributable to the North Korean Reconnaissance General Bureau (RGB), the country’s primary foreign intelligence service,” the report adds.

“We expect APT43 to remain highly productive in conducting espionage campaigns and financially motivated activities that support these interests,” Mandiant’s report concludes. “We believe North Korea has become increasingly dependent on its cyber capabilities, and APT43’s persistent and continuously evolving operations reflect the country’s continued investment and reliance on groups such as APT43.” ®