Posted on March 24, 2023 at 8:19 AM
North Korean hackers infiltrate individuals and corporations using sophisticated hacking attacks
North Korean hackers are notorious for infiltrating individuals and corporations through sophisticated hacking attacks. The German Federal Office for the Protection of the Constitution and the National Intelligence Service of the Republic of Korea (NIS) have issued a statement that North Korean threat actors are using Chrome extensions to steam Gmail emails from targets.
North Korean hackers use Chrome extensions to steal Gmail emails
The North Korean hacking group accused of this malicious activity is known as Kimsuky. The group is also known by other names, such as Thallium and Velvet Chollima. The group usually uses spear-phishing campaigns to conduct cyber-espionage attacks against sensitive parties such as government agencies, diplomats, politicians, journalists, and university professors.
The malicious attacks this threat actor group launched were initially focused on targets in South Korea. However, the hackers expanded their operations over time and started targeting entities based in Europe and the USA.
The two agencies issued a joint security advisory that warned of the dangers that lay with the activities being conducted by the hacking group. The advisory said the hackers have been using a malicious Chrome extension and Android applications.
The current hacking campaign is targeting individuals based in South Korea. However, the techniques employed by the hackers can be used to conduct global hacking campaigns. Therefore, it was important for organizations that handled crucial information to be aware of the threat.
The hackers start their attack by sending a spear-phishing email to the victim. The attacker uses the email to trick the victim into installing a malicious Chrome extension. The extension will also be installed in Chromium-based browsers like Brave and Microsoft Edge.
The extension used to lure targets is known as “AF.” The extension will appear on the extensions list in the user’s browser when they key in “(chrome/edge/brave://extensions) into the browser’s address bar. This action will later infect the browser in question.
After the victim has visited Gmail using the infected browser, the extension will automatically be activated so that it intercepts and steals email content from the victim. The browser extension also abuses the Devtools API (developer tools API) within the browser.
When the hacker completes these actions, they can send the stolen data to the relay server of the attacker. The attacker also managed to infiltrate the system of the target without being detected. Their technique allows them to steam Gmail emails without bypassing the account security protections and triggering an exploit.
It is not the first time that the Kimsuky hacking group has used malicious Chrome extensions to conduct their hacking campaigns and steal Gmail emails from breached systems. In July last year, Volexity issued a report about a similar campaign that employed an extension known as “SHARPEXT.”
In December 2018, a report by Netscout noted that the Kimsuky hacking group used the same strategy to target professionals in the academic sector. Kimsuky hackers used the hashes of malicious files in this type of exploit.
North Korean hackers are using Android malware
The Kimsuky hacking group has been using Android malware to conduct exploits. The Android malware used by hackers is known as “FastViewer.” It also goes by other names, such as Fastfire and Fastspy DEX.
This malware has existed since October 2022 after it was seen trying to infiltrate devices by masquerading as a security plugin. A report by cybersecurity firm AhnLab said that the threat actors had updated FastViewer in December last year so that they could continue using it without detection.
The malware attack starts with the Kimsuky hackers logging in to the victim’s Google account. The hackers previously stole access to this Google account by sending phishing emails or through other techniques. The hackers later exploit the web-to-phone synchronization feature on the Google Play Store.
The malicious application that the attackers need Google Play to install on the victim’s device is submitted to the Google Play console developer site, where it is used for “internal testing only.” The victim’s device is later used as a testing target.
This technique usually works on large-scale infections. However, it stealthily targets victims and can exist on a device without detection. The Android malware is classified as a remote access Trojan (RAT) tool that allows hackers to drop, create, delete, and steal files. The tool is used to access contact lists, make calls and send SMS messages.
The Kimsuky hacking group has constantly been evolving its attack tactics to develop more sophisticated methods to compromise Gmail accounts, individuals, and organizations. Therefore, there is a need to remain vigilant and ensure that such attacks are avoided in the future by installing robust security controls.