Kimsuky Updates its Tactics to Target South Korean Experts

Why this matters?

• The current targets of the Kimsuky campaign are high-profile experts in South Korea, however, the attack tactics are generic and can be used against victims in other countries as well.
• The two independent tactics are meant to steal Gmail emails from the infected Chromium-based web browsers and remotely install malicious applications on the target’s Android devices.

Method 1: Browser extensions

• The attackers send a spear-phishing email to the targeted victims, asking them to install a malicious Chrome extension named AF for their chromium-based browsers, including Google Chrome, Microsoft Edge, or Brave.
• Once infected with the extension, the malicious code waits for the victim to open their Gmail on the browser. Subsequently, it initiates the intercept to steal the emails.
• The extension leverages Devtools API on the browser to send the content back to the attacker's server. 
• This way, it bypasses security protection (such as secondary authentication) without raising any alarms.

Method 2: Malicious apps

• The attackers leverage the Google account credentials (already stolen via phishing or any other method) to login into users' Play accounts.
• They use Google Play Console (app developer site) to register a malicious app (carrying FastViewer malware) ‘for internal testing’, and then add the victim’s account as the testing account.
• The malicious app is then installed on the target's smartphone linked to the account, using the Google Play synchronization function.
• It will enable criminals to access or steal files, perform calls, screenshot, control SMSs, activate the camera, record keystrokes, and more.

Ending notes