South Korea and Germany have released a joint cyber security advisory warning that North Korean hackers are trying to steal Gmail emails through a malicious Chrome extension.
The National Intelligence Service (NIS) of the Republic of Korea and the German Bundesamt für Verfassungsschutz (BfV) have warned that Kimsuky, a group of North Korean hackers also tracked as 'Velvet Chollima' and 'Thallium', are focusing their attacks on researchers focusing on North Korea and the Korean Peninsula.
- SEE MORE North Korea expected to increase cyber attacks due to COVID struggles
- SEE MORE US charges three North Koreans for Sony Pictures, WannaCry attacks
- SEE MORE Maui ransomware actively targeting US healthcare organizations
The attackers used a spear phishing email to install a malicious Chromium extension via a link. When the victim logs into their Gmail, the extension is activated and sends the stolen email content to the attacker’s server, bypassing security settings.
The hacking group also uses Android malware to get further access to a victim’s device. After stealing a victim’s Google account information through the phishing technique, the attacker also registers a malicious app on the Google Play Console and adds the account as a test target.
Analysis of the attacks showed that the attacker then logs in to a victim’s Google account on a PC and requests installation of the malicious app onto the victim’s smartphone, which is linked to the Google account. This is done through Google Play’s synchronisation feature.
Kimsuky makes use of three malware strains called FastFire, FastViewer, and FastSpy, according to Cyware. The malware allows an attacker to track users’ locations, collect keystrokes, record camera data, intercept phone calls, and save documents.
The North Korean hacking group has used malicious browser extensions in the past to steal data from Gmail and AOL sessions.
Cyber security firm Volexity discovered the extension, called ‘SHARPEXT’, in August 2022. The extension monitored webpages to sift through emails and attachments from victims’ mailboxes.
The spyware was linked to a threat actor called SharpTongue, another known alias of Kimsuky. The browser extension was also installed using spear phishing and social engineering tactics, by encouraging victims to access a malicious document.
In July 2022, Kimsuky was named on the US State Department list of North Korean hacking groups on which it was actively seeking information, posting a $10 million dollar reward for useful submissions.
Other notorious groups on the list included Lazarus Group - the group blamed for 2017's WannaCry attack, Andariel, and Bluenoroff.
