The German Federal Office for the Protection of the Constitution (BfV) and the National Intelligence Service of the Republic of Korea (NIS) have issued a joint cybersecurity advisory to warn about the North Korean hacking group, Kimsuky’s use of malicious Chrome extensions and Android applications to steal Gmail emails.
The spear-phishing campaign targets diplomats, journalists, government agencies, university professors, and politicians, with operations expanding over time to include entities in the USA and Europe. The current campaign targets people in South Korea, but the methods used by Kimsuky can be applied globally.
The spear-phishing email urges victims to install a malicious Chrome extension named ‘AF,’ which automatically activates to intercept and steal email content from Gmail when victims use the infected browser. The extension abuses the Devtools API (developer tools API) on the browser to send stolen data to the attacker’s relay server.
This is not the first time Kimsuky has used malicious Chrome extensions to steal emails from breached systems.
At the same time, the Android malware used by Kimsuky is named “FastViewer,” “Fastfire,” or “Fastspy DEX,” and was first reported in October 2022, masquerading as a security plugin or document viewer.
The hackers log in to the victim’s Google account and abuse the web-to-phone synchronization feature of Google Play to install the malware on the victim’s device. The malicious app is submitted for “internal testing only” and supposedly added as a testing target.
Futhermore, the Android malware is a RAT (remote access trojan) tool enabling the hackers to drop, create, delete, or steal files, get contact lists, perform calls, monitor or send SMS, activate the camera, perform keylogging, and view the desktop.
Kimsuky continues to evolve its tactics and develop more sophisticated methods to compromise Gmail accounts, making it crucial for individuals and organizations to remain vigilant and implement robust security measures. This includes keeping software up-to-date, being cautious of unexpected emails or links, and regularly monitoring accounts for suspicious activity.
