Thursday, April 18, 2024

Kimsuky Hacker Group Targeting Mobile Users With New Android Malware

Kimsuky (aka Thallium, Black Banshee, Velvet Chollima) is a North Korean hacking group that is actively targeting Android device users with 3 new mobile malware that are recently discovered by the cybersecurity experts at S2W.

This group has been active since 2012 and has performed several cyberattacks on targets who are engaged in the following sectors around the globe:- 

  • Media
  • Research
  • Politics
  • Diplomacy
  • Finance

Data is primarily collected by this hacking group through the distribution of malware and spear-phishing attacks through which they gain access to the victims’ accounts.

Malware Strains

It should be noted that the malware strains were named in the following manner by the South Korean cybersecurity company S2W:-

  • FastFire: FastFire disguised as a Google security plug-in.
  • FastViewer: FastViewer malware disguises itself as “Hancom Viewer.”
  • FastSpy: FastSpy is a remote access tool that is based on the open-source AndroSpy tool.

As far as Kimsuky is concerned, North Korea is expected to be conducting an intelligence-gathering mission under the curtain of Kimsuky around the globe.

The primary focus of this group is on the organizations and entities from the following countries:-

  • South Korea
  • Japan
  • The U.S.

Technical Analysis

In the past, attackers have been able to execute arbitrary actions on infected devices through the Android version of the AppleSeed implant.

The three families of malware that have been discovered recently are the latest additions to Kimsuky’s arsenal. This set of malware is mainly designed to perform two key tasks:-

  • Receive commands from Firebase
  • Download additional payloads

There is a predetermined order in which FastFire is executed, which begins with MainActivity. “com.viewer.fastsecure” is the package name of the malicious APK, which disguises itself as a Google Security Plugin.

There is no way to discover that it is installed once it is installed because it hides its launcher icon. Using the accessibility API permissions, FastViewer and FastSpy both perform spying activities on Android devices.

Upon launching FastSpy, it will give the attacker complete control over the devices that are being targeted to steal and hijack the following data and components:-

  • Calls
  • SMS
  • Locations
  • Documents
  • Keystrokes
  • Camera
  • Recordings
  • Microphone
  • Speakers

These three malware families were attributed to the Kimsuky hacking group, as this group has been found to be using the domain “mc.pzs[.]kr.” While it’s the domain name that has previously been used by the group in a prior campaign that was operated in May 2022.

It is imperative that users be careful about sophisticated attacks targeting Android devices due to Kimsuky Group’s mobile targeting strategy becoming more sophisticated and advanced.

Managed DDoS Attack Protection for Applications – Download Free Guide


Latest articles

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles