Government agencies in Germany and South Korea have warned of cyberattacks by attackers tracked as: Kimski Steal a user’s Gmail inbox with a rogue browser extension.
This joint recommendation comes from Germany’s domestic intelligence agency, the Federal Constitutional Protection Office (BfV), and South Korea’s National Intelligence Service (NIS).
The intrusions are designed to attack “experts on Korean Peninsula and North Korea issues” through spear-phishing campaigns, the agencies said.
Kimsky, also known as Black Banshee, Thallium, and Velvet Cholima, refers to a subordinate element within North Korea’s Reconnaissance General Authority, responsible for “gathering strategic intelligence on geopolitical events and negotiations affecting North Korea’s interests.” Known for
Primary targets of interest include US and South Korean organizations. In particular, we select individuals who work within government, military, manufacturing, academic, and think tank organizations.
“This threat actor’s activities include the collection of financial, personal, and customer data, particularly from South Korea’s academic, manufacturing, and national security industries,” Google-owned threat intelligence firm Mandiant revealed last year. I made it
Recent attacks orchestrated by this group suggest that its cyber activity has expanded to include Android malware strains such as FastFire, FastSpy, FastViewer and RambleOn.
For Kimsuky, using Chromium-based browser extensions for cyber espionage purposes is nothing new. Kimsuky has previously used similar techniques as part of campaigns tracked as Stolen Pencil and SharpTongue.
SharpTongue’s operations also overlap with recent efforts in that the latter can also steal victim email content using rogue add-ons, leveraging the browser’s DevTools API to extend its functionality. I will do it.
However, in the escalation of Kimsuky’s mobile attacks, attackers used credentials previously obtained through phishing tactics to log into victims’ Google accounts and deploy malicious apps on devices linked to the accounts. Confirmed to install.
“The attacker logs into the victim’s Google account on the PC, accesses the Google Play store, and requests the installation of a malicious app,” the agencies said. “Currently, the target smartphone linked to the Google account is selected as the device to install the malicious app.”
Apps that incorporate FastFire and FastViewer are suspected of being distributed using a Google Play feature known as “internal testing,” which allows third-party developers to distribute their apps to a “small number of trusted testers.” there is.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
A point worth mentioning here is that these internal app tests that are run before releasing the app to production cannot exceed 100 users per app. This shows that the campaign is very targeted in nature.
Both malware-laden apps are capable of abusing Android’s accessibility services to collect various sensitive information. The apps are listed below –
- com.viewer.fastsecure (FastFire)
- com.tf.thinkdroid.secviewer (FastViewer)
This disclosure links a North Korean Advanced Persistent Threat (APT) actor called ScarCruft to various attack vectors used to deliver PowerShell-based backdoors to compromised hosts. is coming from
