German and South Korean Agencies Warn of Kimsuky's Expanding Cyber Attack Tactics
23.3.23 APT The Hacker News
German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users' Gmail inboxes.
The joint advisory comes from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service of the Republic of Korea (NIS).
The intrusions are designed to strike "experts on the Korean Peninsula and North Korea issues" through spear-phishing campaigns, the agencies noted.
Kimsuky, also known Black Banshee, Thallium, and Velvet Chollima, refers to a subordinate element within North Korea's Reconnaissance General Bureau and is known to "collect strategic intelligence on geopolitical events and negotiations affecting the DPRK's interests."
Primary targets of interest include entities in the U.S. and South Korea, particularly singling out individuals working within the government, military, manufacturing, academic, and think tank organizations.
"This threat actor's activities include collecting financial, personal, and client data specifically from academic, manufacturing, and national security industries in South Korea," Google-owned threat intelligence firm Mandiant disclosed last year.
Recent attacks orchestrated by the group suggest an expansion of its cyber activity to encompass Android malware strains such as FastFire, FastSpy, FastViewer, and RambleOn.
The use of Chromium-based browser extensions for cyber espionage purposes is not new for Kimsuky, which has previously used similar techniques as part of campaigns tracked as Stolen Pencil and SharpTongue.
The SharpTongue operation also overlaps with the latest effort in that the latter is also capable of stealing a victim's email content using the rogue add-on, which, in turn, leverages the browser's DevTools API to perform the function.
But in an escalation of Kimsuky's mobile attacks, the threat actor has been observed logging into victims' Google accounts using credentials already obtained in advance through phishing tactics and then installing a malicious app on the devices linked to the accounts.
"The attacker logs in with the victim's Google account on the PC, accesses the Google Play Store, and requests the installation of a malicious app," the agencies explained. "At this time, the target's smartphone linked with the Google account is selected as the device to install the malicious app on."
It's suspected that the apps, which embed FastFire and FastViewer, are distributed using a Google Play feature known as "internal testing" that allows third-party developers to distribute their apps to a "small set of trusted testers."
A point worth mentioning here is that these internal app tests, which are carried out prior to releasing the app to production, cannot exceed 100 users per app, indicating that the campaign is extremely targeted in nature.
Both the malware-laced apps come with capabilities to harvest a wide range of sensitive information by abusing Android's accessibility services. The apps' APK package names are listed below -
com.viewer.fastsecure (FastFire)
com.tf.thinkdroid.secviewer (FastViewer)
The disclosure comes as the North Korean advanced persistent threat (APT) actor dubbed ScarCruft has been linked to different attack vectors that are employed to deliver PowerShell-based backdoors onto compromised hosts.