HQ/EMEAFind out how we can help your business
The North Korean state-sponsored threat group, Kimsuky, has created new attack methods that boost its espionage attacks without alarming security detectors. The new tactics include exploiting Google’s Chrome extension and compromised Android applications.
Based on reports, these North Korean hackers are currently targeting high-profile security experts in South Korea. However, researchers claimed that Kimsuky’s new strategy could also infect other countries.
The malware developers created two new strategies to steal Gmail accounts from infected Chromium-based web browsers and remotely install malicious apps on a target’s Android device.
Kimsuky strategies use browser extensions and malicious apps.
According to the investigation, the first new tactic from Kimsuky is using browser extensions. The attack starts by sending a spear-phishing email to the targeted victims. Subsequently, the attackers will prompt the target to install a malicious Chrome extension (AF) for its chromium0based browsers.
The infectious code will then wait for the victim to open their Gmail on the browser once it has infected the device with the extension. The code will then intercept the email once the targeted user logs it.
The extension will then use the devtools API on the browser to exfiltrate the stolen content to an attacker-controlled server.
The second tactic is the use of malicious apps. This technique will try to exploit Google Play’s web-smartphone synchronisation feature to install a compromised app on a targeted device.
The Kimsuky operators will leverage a previous Google account credential to log into the user’s Play Store accounts. Subsequently, the attackers will use Google Play Console to register a compromised application for alleged internal testing and add the victim’s account as the testing account.
The strategy will install the malicious application on the target’s smartphone connected to the account via Google Play synchronisation. This method will allow the actors to access or steal files, capture screenshots, manipulate SMS messages, perform phone calls, open the camera, and record keystrokes.
Cybersecurity experts explained that these new attack strategies heavily rely on phishing and spear-phishing campaigns. Users and organisations should secure their accounts and other assets to mitigate the effects of these recent attacks from Kimsuky.
