Kimsuky used Google Chrome extensions to steal the target’s Gmail emails.
Kimsuky also known as Thallium, Velvet Chollima is a North Korean threat organization. It conducts cyber-espionage against diplomats, journalists, government agencies, university academics, and politicians through spear phishing. Initially targeting South Korean targets, the threat actors gradually expanded their operations to the United States and European organizations.
According to a cybersecurity website the combined security alert was issued to warn of the hacker group’s two attack methods: a malicious Chrome extension and Android apps.
Moreover, the present effort is aimed at South Koreans. Kimsuky’s ideas may be applied internationally, therefore boosting awareness is critical.
Gmail email theft
The assault starts with a spear-phishing email. It pushes the victim to install a malicious Chrome extension. The extension also installs in Chromium-based browsers like Microsoft Edge or Brave.
The extension is called ‘AF,’ and it can be found in the extensions list by typing “(chrome|edge| brave)://extensions” into the browser’s address bar.
The victim uses the infected browser to access Gmail. The extension then immediately activates to intercept and steal the victim’s email content.
The extension leverages the browser’s developer tools API to transport the stolen data to the attacker’s relay server. Furthermore, it collects their emails while smartly circumventing their email security protocols.
Kimsuky has previously exploited malicious Chrome extensions to harvest emails from compromised PCs.
In July 2022, Volexity reported about a similar effort utilizing an extension dubbed “SHARPEXT” in July 2022. Kimsuky was using a similar method on academia targets in December 2018, according to Netscout.
This time, the hashes of the malicious files used by Kimsuky in its most recent attacks are:
582A033DA897C967FAADE386AC30F604 (bg.js)
51527624E7921A8157F820EB0CA78E29 (manifest.json)
51527624E7921A8157F820EB0CA78E29 (dev.js)
Malware for Android
Kimsuky’s Android malware is known as “FastViewer,” “Fastfire,” or “Fastspy DEX”. Moreover, it has been observed posing as a security plugin or document viewer since October 2022.
However, according to a Korean security service website, the threat actors modified FastViewer in December 2022. Thus, they continued to use the virus after its hashes were publicly disclosed.
Kimsuky begins the assault by signing into the victim’s Google account. Which they had previously obtained through phishing emails or other ways.
The hackers then exploit Google Play’s web-to-phone synchronization capability. It allows users to install apps on their paired devices from their computers to install the virus.
Whenever an attacker requests Google Play to install malicious software. The software is uploaded to the developer site for “internal testing only” with the victim’s device ostensibly included in that list.
This approach would not work for large-scale campaigns. However, it is extraordinary and very stealthy for limited targeted operations like Kimsuky’s.
The Android virus is a remote access trojan program. It allows hackers to drop, create, delete, or steal files, obtain contact lists, make calls, monitor or send SMS, activate the camera, keylog, and watch the desktop.
Individuals and businesses must be watchful and employ robust security measures. As Kimsuky’s techniques change and more sophisticated methods to exploit Google Workspace email platforms are developed.
This involves keeping software up to date and being wary of unusual emails or links. Most important check accounts regularly for suspicious behavior.
