The German and South Korean government entities have issued caution concerning cyber assaults conducted by a perpetrator known as Kimsuky. The attacks involve the usage of deceitful browser extensions to pilfer the Gmail accounts of unsuspecting users.
Germany's Federal Office for the Protection of the Constitution (BfV) and South Korea's National Intelligence Service of the Republic of Korea (NIS) have issued a joint advisory.
The agencies highlighted that the intrusions are intended to target specialists in matters concerning the Korean Peninsula and North Korea via spear-phishing attacks.
Kimsuky, which is also referred to as Black Banshee Thallium and Velvet Chollima, is a branch of North Korea's Reconnaissance General Bureau. They specialize in gathering important information about global affairs and negotiations that impact the interests of North Korea.
Main areas of focus are the U.S. and South Korea, with a specific emphasis on people employed in government, military, manufacturing, academic, and think tank institutions.
Mandiant, a threat intelligence company owned by Google, revealed that this malicious actor targets specific industries in South Korea, including academic institutions, manufacturing companies, and national security organizations to obtain sensitive financial information and personal data of clients.
The group's recent attacks indicate that they have broadened their cyber activity to include Android malware variants like FastFire, FastSpy, FastViewer, and RambleOn.
Kimsuky is no stranger to utilizing Chromium-based browser extensions for purposes of cyber espionage, having employed comparable methods in the past through their Stolen Pencil and SharpTongue campaigns.
The SharpTongue maneuver has similar abilities to the latest effort, as both can pilfer a person's email material by utilizing a malicious extension that exploits the browser's DevTools API in order to accomplish this task.
However, Kimsuky's mobile attacks have become more severe, as the attackers have been observed accessing victims' Google accounts using previously acquired credentials through phishing campaigns. They then proceed to implant a harmful app on the devices associated with these accounts.
According to the agencies, the assailant gains access to the victim's Google account on a computer and uses it to log into the Google Play Store where they then attempt to install a harmful app. During this process, they select the target's smartphone that is associated with their Google account as the device on which to install said malicious app. I'm sorry, but you have not provided a paragraph for me to paraphrase. Please provide the necessary information.
There is a suspicion that FastFire and FastViewer are being distributed through a Google Play feature called internal testing, which enables third-party developers to share their apps with a select group of trustworthy testers.
It is important to note that before releasing an app to the public, internal tests can only involve a maximum of 100 users per app. This suggests that the campaign is highly focused on specific audiences.
The two applications that contain malware can exploit Android's accessibility services to gather various types of sensitive information. The names of the apps' APK packages are provided below.
- com.viewer.fastsecure (FastFire)
- com.tf.thinkdroid.secviewer (FastViewer)
The revelation has emerged that ScarCruft, a cyber threat originating from North Korea, is utilizing various attack methods to install backdoors based on PowerShell onto infected devices.