At a glance
- DPRK threat actor Kimsuky uses Chrome extension to exfiltrate emails.
- DPRK's ScarCruft prospects South Korean organizations.
- Hacktivists' claims of attacks on OT networks are overstated.
- Ghostwriter remains active in social engineering attempts to target Ukrainian refugees.
- An overview of the cyber phases of Russia's hybrid war to date.
DPRK threat actor Kimsuky uses Chrome extension to exfiltrate emails.
The German Constitutional Protection Agency (BfV) and the Republic of Korea’s National Intelligence Service (NIS) have issued a joint advisory describing a spearphishing campaign by North Korea’s Kimsuky threat actor (also known as Thallium or Velvet Chollima).
The threat actor is targeting “experts on the Korean Peninsula and North Korea issues” via a malicious Chrome extension and malware-laden Android apps. According to BleepingComputer, the attackers use spearphishing emails to trick their victims into installing the Chrome extension. After it’s installed, the extension can exfiltrate emails from the victim’s Gmail account.
Kimsuky is also using an Android Trojan called “FastViewer,” which was first observed in October 2022. BleepingComputer explains, “The malicious app the attackers request Google Play to install on the victim's device is submitted on the Google Play console developer site for ‘internal testing only,’ and the victim's device is supposedly added as a testing target.” The advisory adds that “since the technology exploited in this attack can be used universally, it can be used by foreign affairs and security think tanks around the world as well as unspecified people.” For more on Kimsuky's recent activity, see CyberWire Pro.