Skip to content

North Korean hackers use infected Chrome extensions to steal Gmail emails from politicians

The National Intelligence Service (NIS) of the Republic of Korea and the Federal Office for Constitutional Protection (BfV) of Germany have issued an advisory about a campaign of attacks by hackers North Koreans using infected Chrome extensions to steal Gmail emails.

LOOK: Meta is facing a lawsuit for doing nothing against human trafficking on Facebook and Instagram

These hackers are known as Kimsuky, but they also have other names such as Thallium and Velvet Chollima. This is a group of malicious actors from North Korea that uses ‘phishing’ – posing as a legitimate source – to conduct cyber espionage targeting diplomatspoliticians, journalists, government agencies or even university professors.

Now, the ROK Intelligence Service and Germany’s BfV have launched a joint advisory to “raise awareness” of their activity, after identifying a new campaign of attacks by Kimsuky that, while primarily targeting Korean victims, it has also been detected in the United States and Europe.

LOOK: ChatGPT vs. the poets: Can AI write poems?

In this case, the group uses a malicious Google Chrome extension that spreads via a fraudulent email sent to the potential victim. In it, you are encouraged to install the said extension in Chrome, although in reality it can be installed in Chromium-based browsers, such as Microsoft Edge or Brave.

Once installed, the extension, which appears under the name ‘AF’, it is activated when the user opens his Gmail account, without him realizing it. It is at this moment that the malware begins to intercept all the content of the messages, although the authorities have warned that it also has access to the data stored in cloud services.

LOOK: Netflix: the secret codes to watch the hidden movies and series

To steal the information, the ‘AF’ extension uses the Devtools API, a set of tools for web developers integrated into the Google Chrome browser. With this, the malicious actors sent the stolen data to their relay server. Thus, they obtained all the data “in secret”, bypassing the email security settings.

From Korea and Germany they warn that these attacks are mainly aimed at “experts” on the Korean peninsula and North Korea. However, they warn that “the target of attack can be extended to an unspecified number of people”.


On the other hand, they have also registered a campaign kimsuki in which it uses a fraudulent application hosted on the Google Play Store, which has been known since October of last year 2022 as ‘FastViewer’, ‘Fastfire’ or ‘Fastspy DEX’as BleepingComputer recalls.

LOOK: Twitter Blue is now available worldwide: how much does the subscription cost in Peru?

This other way of operating involves stealing the access credentials of the victims’ Gmail account through fraudulent emails. So, they take advantage of the smartphone’s synchronization function with the app store to download and install the malicious app.

This malware is actually a Remote Access Trojan (RAT)and with it, cybercriminals can access the infected ‘smartphone’, the information it contains and take control to perform actions such as calling, sending SMS or activating the camera.

Source: Elcomercio

Share this article:
globalhappenings news.jpg
most popular