HQ/EMEAFind out how we can help your business
The Kimsuky North Korean APT group was observed propagating three Android malware strains against South Korean targets, which include FastFire, FastViewer, and FastSpy malware families.
Security experts explained that FastFire is masquerading as a Google security plugin, the FastViewer malware is disguised as the Hancom Office Viewer app, and the FastSpy malware is utilised as an AndroSpy-based remote access tool.
The Kimsuky group, aka Black Banshee, Thallium, and Velvet Chollima, is North Korean APT actors known for targeting South Korea, Japan, and the US with cyberespionage attacks.
In the past months of this year, the Kimsuky group has launched infection chains against their victims, utilising a Windows backdoor dubbed GoldDragon and an Android version of the AppleSeed implant.
And for the latest addition to the APT group’s arsenal of malware strains, they have included FastFire, FastViewer, and FastSpy, designed to receive commands from their Firebase C2 server and download more payloads into a victim’s device.
The researchers added that the FastViewer malware is a repackaged APK file, where the hackers added arbitrary malicious code to the authentic Hancom Office Viewer app. In the next stage of this malware, it will also download the FastSpy malware to the victim’s compromised machine.
Furthermore, both FastViewer and FastSpy malware strains rely on abusing Android’s API permissions to complete their espionage activities. Meanwhile, FastSpy automates user clicks to access more extensive device permission, also seen on the MaliBot malware.
Once launched in a device, the FastSpy malware will aid the Kimsuky group in taking over the infected devices, spy on phone calls and text messages, track locations, steal data, capture keystrokes, and record camera, microphone, and speaker user activities.
The reports of the Kimsuky group being attributed to the three malware strains have been based on overlaps observed, primarily from a server domain ‘mc.pzs[.]kr’ that the APT group had employed in a campaign last May, which aimed to distribute malware by disguising the page as a North Korean press release.
Users are advised to be cautious about downloading files from third-party sources on their Android devices since the Kimsuky group has been focusing on their strategy of spreading spyware against Android OS users.
