North Korean hackers using Chrome extensions to steal Gmail emails

**kirill** · 03-22-2023

Screenshot 2023-03-22 23.48.26.jpg

A joint cybersecurity advisory from the German Federal Office for the Protection of the Constitution (BfV) and the National Intelligence Service of the Republic of Korea (NIS) warn about Kimsuky's use of Chrome extensions to steal target's Gmail emails.

Kimsuky (aka Thallium, Velvet Chollima) is a North Korean threat group that uses spear phishing to conduct cyber-espionage against diplomats, journalists, government agencies, university professors, and politicians. Initially focused on targets in South Korea, the threat actors expanded operations over time to target entities in the USA and Europe.

The joint security advisory was released to warn of two attack methods used by the hacking group — a malicious Chrome extension and Android applications.

While the current campaign targets people in South Korea, the techniques used by Kimsuky can be applied globally, so raising awareness is vital.

Stealing Gmail emails

The attack begins with a spear-phishing email urging the victim to install a malicious Chrome extension, which will also install in Chromium-based browsers, such as Microsoft Edge or Brave.

The extension is named 'AF' and can only be seen in the extensions list if the user enters "(chrome|edge| brave)://extensions" in the browser's address bar.

Once the victim visits Gmail through the infected browser, the extension automatically activates to intercept and steal the victim's email content.

The extension abuses the Devtools API (developer tools API) on the browser to send the stolen data to the attacker's relay server, stealthily stealing their emails without breaking or bypassing account security protections.

This is not the first time Kimsuky has used malicious Chrome extensions to steal emails from breached systems.

In July 2022, Volexity reported about a similar campaign using an extension named "SHARPEXT." In December 2018, Netscout reported that Kimsuky was following the same tactic against academia targets.

This time, the hashes of the malicious files Kimsuky uses in its latest attacks are:

012D5FFE697E33D81B9E7447F4AA338B (manifest.json)
582A033DA897C967FAADE386AC30F604 (bg.js)
51527624E7921A8157F820EB0CA78E29 (dev.js)

Screenshot 2023-03-22 23.49.06.jpg

Chrome extension infection chain

Android malware

The Android malware used by Kimsuky is named "FastViewer," "Fastfire," or "Fastspy DEX," and it has been known since October 2022, when it was seen masquerading as a security plugin or document viewer.

However, Korean cybersecurity firm AhnLab, reports that the threat actors updated FastViewer in December 2022, so they continued using the malware after its hashes were publicly reported.

The attack unfolds with Kimsuky logging in to the victim's Google account, which they previously stole through phishing emails or other means.

Next, the hackers abuse the web-to-phone synchronization feature of Google Play, which allows users to install apps on their linked devices from their computer (Play Store website) to install the malware.

The malicious app the attackers request Google Play to install on the victim's device is submitted on the Google Play console developer site for "internal testing only," and the victim's device is supposedly added as a testing target.

This technique wouldn't work for large-scale infections, but it is exceptional and quite stealthy when it comes to narrow targeting operations like those run by Kimsuky.

The Android malware is a RAT (remote access trojan) tool enabling the hackers to drop, create, delete, or steal files, get contact lists, perform calls, monitor or send SMS, activate the camera, perform keylogging, and view the desktop.

Screenshot 2023-03-22 23.49.38.jpg

Android malware infection chain

As Kimsuky continues to evolve its tactics and develop more sophisticated methods to compromise Gmail accounts, individuals and organizations must remain vigilant and implement robust security measures.

This includes keeping software up-to-date, being cautious of unexpected emails or links, and regularly monitoring accounts for suspicious activity.