German and South Korean Agencies Warn of Kimsuky’s Expanding Cyber Attack Tactics

Mar 23, 2023Ravie LakshmananCyber Attack / Browser Security

German and South Korean government agencies have warned about
cyber attacks mounted by a threat actor tracked as
Kimsuky using rogue browser extensions to steal
users’ Gmail inboxes.

The joint advisory^[1]
comes^[2] from Germany’s domestic
intelligence apparatus, the Federal Office for the Protection of
the Constitution (BfV), and South Korea’s National Intelligence
Service of the Republic of Korea (NIS).

The intrusions are designed to strike “experts on the Korean
Peninsula and North Korea issues” through spear-phishing campaigns,
the agencies noted.

Kimsuky^[3], also known Black
Banshee, Thallium, and Velvet Chollima, refers to a subordinate element^[4]
within North Korea’s Reconnaissance General Bureau and is known to
“collect strategic intelligence on geopolitical events and
negotiations affecting the DPRK’s interests.”

Primary targets of interest include entities in the U.S. and
South Korea, particularly singling out individuals working within
the government, military, manufacturing, academic, and think tank
organizations.

“This threat actor’s activities include collecting financial,
personal, and client data specifically from academic,
manufacturing, and national security industries in South Korea,”
Google-owned threat intelligence firm Mandiant disclosed^[5]
last year.

Recent attacks orchestrated by the group suggest an expansion of
its cyber activity to encompass Android malware strains such as
FastFire, FastSpy, FastViewer^[6], and RambleOn^[7].

The use of Chromium-based browser extensions for cyber espionage
purposes is not new for Kimsuky, which has previously used similar
techniques as part of campaigns tracked as Stolen Pencil and SharpTongue^[8].

The SharpTongue operation also overlaps with the latest effort
in that the latter is also capable of stealing a victim’s email
content using the rogue add-on, which, in turn, leverages the
browser’s DevTools API to perform the function.

But in an escalation of Kimsuky’s mobile attacks, the threat
actor has been observed logging into victims’ Google accounts using
credentials already obtained in advance through phishing tactics
and then installing a malicious app on the devices linked to the
accounts.

“The attacker logs in with the victim’s Google account on the
PC, accesses the Google Play Store, and requests the installation
of a malicious app,” the agencies explained. “At this time, the
target’s smartphone linked with the Google account is selected as
the device to install the malicious app on.”

It’s suspected that the apps, which embed FastFire and
FastViewer, are distributed using a Google Play feature known as
“internal testing^[9]” that allows third-party
developers to distribute their apps to a “small set of trusted
testers.”

A point worth mentioning here is that these internal app tests,
which are carried out prior to releasing the app to production,
cannot exceed 100 users per app^[11], indicating that the
campaign is extremely targeted in nature.

Both the malware-laced apps come with capabilities to harvest a
wide range of sensitive information by abusing Android’s
accessibility services. The apps are listed below –

• com.viewer.fastsecure (FastFire)
• com.tf.thinkdroid.secviewer (FastViewer)

The disclosure comes as the North Korean advanced persistent
threat (APT) actor dubbed ScarCruft^[12] has been linked to
different attack vectors that are employed to deliver
PowerShell-based backdoors onto compromised hosts.