Alert concerning North Korea's Thallium APT.
N2K logoMar 23, 2023

Threat actor targets experts on the Korean Peninsula.

Alert concerning North Korea's Thallium APT.

The German Constitutional Protection Agency (BfV) and the Republic of Korea’s National Intelligence Service (NIS) have issued a joint advisory describing a spearphishing campaign by North Korea’s Kimsuky threat actor (also known as Thallium or Velvet Chollima).

Chrome extension used to exfiltrate emails.

The threat actor is targeting “experts on the Korean Peninsula and North Korea issues” via a malicious Chrome extension and malware-laden Android apps. According to BleepingComputer, the attackers use spearphishing emails to trick their victims into installing the Chrome extension. After it’s installed, the extension can exfiltrate emails from the victim’s Gmail account.

Kimsuky is also using an Android Trojan called “FastViewer,” which was first observed in October 2022. BleepingComputer explains, “The malicious app the attackers request Google Play to install on the victim's device is submitted on the Google Play console developer site for ‘internal testing only,’ and the victim's device is supposedly added as a testing target.”

The advisory adds that “since the technology exploited in this attack can be used universally, it can be used by foreign affairs and security think tanks around the world as well as unspecified people.”

Industry comment.

Joe Gallop, Cyber Threat Intelligence Manager at Cofense, stated:

“This joint cybersecurity advisory emphasizes the continued development of threat actors utilizing spear-phishing tactics to conduct espionage against specific targets. According to the report, the threat actor sends a phishing email to trick targets into installing a malicious extension in Chromium-based browsers, which in turn enables the threat actor to steal a target's Gmail emails. The threat actor may also steal credentials to the Gmail account, log in to the account, and use an app development feature to surreptitiously load other malware on smartphones linked to that account. It is important to note that while this last step would be limited to fewer targets due to the need for a manual login, the advisory indicates that the techniques and software used in the first step are applicable in broadly-targeted phishing campaigns.

“It is crucial to take the appropriate actions to safeguard inboxes, identify dangers, and react to an attack as phishing campaigns continue to increase in frequency. Implementing actionable intelligence will help keep hostile actors at bay and maintain the protection of sensitive data by providing visibility into the risk variables in your network and prompt, decisive responses to phishing threats.”