Listen to this story
The notorious Kimsuky hacker group has targeted South Koreans with three new Android malware variants. The threat group is allegedly employed by North Korea and uses malware like FastFire, FastViewer, and FastSpy.
South Korean cybersecurity firm S2W reported the surge of Kimsuky group hacking activities, and it is believed that the group mimics Google services to target its victims.
The lead researchers, Lee Sebin and Shin Yeongjae, noted that the FastFire malware was disguising itself as a Google security plugin, the FastViewer malware was hiding as “Hancom Office Viewer,” and the FastSpy malware is a remote access tool based on AndroSpy.
Kimsuky hackers on the rise in South Korea
The Kimsuky threat group is funded by North Korean threat actors and has multiple aliases in different parts of the world. While the group has various names, such as ‘Black Banshee’, Thallium, and Velvet Chollima, it has been attributed to a global intelligence-gathering mission by the North Korean government.
With multiple malware arsenal at their disposal, Kimsuky hackers are among the most challenging threat actors. The threat group continuously evaluates its attack strategies and employs new and more effective malware.
The most recent additions to its expanding Android malware list include FastFire, FastViewer, and FastSpy. These malware strains take commands from Firebase and download more payloads onto the victims’ computers. According to the researchers, the malware also downloads FastSpy on the victim’s computers, automatically adding arbitrary malicious code to the Hancom Office Viewer program.
Once activated, FastSpy gives the enemy control of the targeted devices and gives them access to features including call and SMS interception, location tracking, document harvesting, keystroke logging, and recording through the phone’s camera, microphone, and speaker.
The researchers stated that the Kimsuky organization has continuously executed assaults to steal the target’s information targeting mobile devices. Additionally, the threat actor hinders detection at several levels by modifying the free source, RAT Androspy.