In an important information security advisory, the German Federal Office for the Protection of the Constitution (BfV) and the National Intelligence Service of the Republic of Korea (NIS) worked together.
This advisory warns about the sneaky hacking group Kimsuki “Kim Su-ki” (aka Thallium, Velvet Chollima), which was found to be using malicious Chrome extensions to gain unauthorised access to Gmail accounts and steal sensitive information from them.
Kimsuky, a North Korean threat group, uses spear phishing to spy on the following people and organisations:
Diplomats
Journalists
Government departments
Professors at universities
Politicians
At first, the threat actors were mostly concerned with targets in South Korea. Over time, though, they have greatly expanded their operations to include the following entities:
Europe and the United States
Also, the threat actors have used two ways to carry out and complete the attack on targets:
A bad extension for Chrome and Android apps
As we already hinted, the current Kimsuky campaign is mostly aimed at people in South Korea.
But threat actors could use the same TTPs to go after victims all over the world. So, it’s very important to be aware of the TTPs used by threat actors and find them so that they can’t be used against you.
Plan of attack
The Kimsuky attack strategy starts with a targeted spear-phishing email that tells the victim to install a malicious Chrome extension.
It’s important to know that this extension can infect other Chromium-based browsers in addition to Chrome.
Brave is Microsoft Edge
The extension’s name is “AF,” and it might not show up on the list of extensions under normal circumstances. Users must type the following address into the address bar of their browsers to find out which malicious extension was used in the Kimsuky attack:
(chrome|edge|brave):/extensions
When the victim goes to Gmail with the infected browser, the extension automatically turns on their browser. As soon as the victim clicks on it, it gets into their email account and steals everything.
The extension uses a method that uses the browser’s Devtools API to send stolen information to a server that the attacker controls.
Kimsuky used the following hashes for its bad files in this attack:
012d5ffe697e33d81b9e7447f4aa338b \s51527624e7921a8157f820eb0ca78e29 \s582a033da897c967faade386ac30f604 \s04bb7e1a0b4f830ed7d1377a394bc717 \s89f97e1d68e274b03bc40f6e06e2ba9a \s3458daa0dffdc3fbb5c931f25d7a1ec0
The following Android malware is used by Kimsuki to infect Android devices:
FastViewer \sFastfire
Speedy DEX
Since the researchers had already made the hashes of FastViewer public, the threat actors updated it in December 2022 so they could continue to use it.
Kimsuki’s operators got the victim’s Google account through a phishing email or another attack, which they then used to log into the account. It’s also clear that the hackers take advantage of a feature of Google Play that syncs information from the web to the phone.
The feature lets users install apps on their connected devices straight from their computers. This makes it possible for malware to be put on these devices.
Kimsuky’s Android malware is a Remote Access Trojan (RAT), which gives attackers a number of ways to do bad things, such as:
Send a load of bad things
Create files
Remove files
Steal files
Obtain contact lists
Make phone calls
Check your SMS
Send SMS
Turn on the camera.
Conduct keylogging
Look at the desktop.
Kimsuky’s methods for breaking into Gmail accounts are always changing, so it’s important for both individuals and organisations to keep putting in place comprehensive security measures.