Go to listing page

Kimsuky Updates its Tactics to Target South Korean Experts

Kimsuky Updates its Tactics to Target South Korean Experts
North Korean threat group Kimsuky (aka Thallium and SmokeScreen) is known for its operational versatility in the adoption of new tools and tactics. Recently, it has devised two attack tactics that enhance its espionage capabilities without raising red flags on security radars. This includes the abuse of Google's Chrome extension and malicious Android apps.

Why this matters?

  • The current targets of the Kimsuky campaign are high-profile experts in South Korea, however, the attack tactics are generic and can be used against victims in other countries as well.
  • The two independent tactics are meant to steal Gmail emails from the infected Chromium-based web browsers and remotely install malicious applications on the target’s Android devices.

The German Bundesamt für Verfassungsschutz (BfV) and the National Intelligence Service of the Republic of Korea (NIS) disclosed the new tactics by Kimsuky in a joint security advisory.

Method 1: Browser extensions

  • The attackers send a spear-phishing email to the targeted victims, asking them to install a malicious Chrome extension named AF for their chromium-based browsers, including Google Chrome, Microsoft Edge, or Brave.
  • Once infected with the extension, the malicious code waits for the victim to open their Gmail on the browser. Subsequently, it initiates the intercept to steal the emails.
  • The extension leverages Devtools API on the browser to send the content back to the attacker's server. 
  • This way, it bypasses security protection (such as secondary authentication) without raising any alarms.

Method 2: Malicious apps

The other tactic attempts to exploit Google Play's web-smartphone synchronization function to install malicious apps on the target’s device.
  • The attackers leverage the Google account credentials (already stolen via phishing or any other method) to login into users' Play accounts.
  • They use Google Play Console (app developer site) to register a malicious app (carrying FastViewer malware) ‘for internal testing’, and then add the victim’s account as the testing account.
  • The malicious app is then installed on the target's smartphone linked to the account, using the Google Play synchronization function.
  • It will enable criminals to access or steal files, perform calls, screenshot, control SMSs, activate the camera, record keystrokes, and more.

Ending notes

Kimsuky has been evolving its TTPs continuously and developing new tactics to carry out its operations silently. Most of its tactics rely on phishing and spear-phishing attacks. Thus, securing personal/organizational accounts and other critical assets shall be the key priority against this threat. Individuals and organizations are suggested to stay aware of the latest tactics and follow the recommendations provided by the agencies.
Cyware Publisher

Publisher

Cyware