Security researchers have discovered a malicious browser extension for Chrome and other Chromium-based browsers that can steal the contents of your Gmail email account.
This malware campaign was discovered by two national security agencies: the German Federal Constitutional Protection Agency and the South Korean National Intelligence Service.
The two agencies issued a joint statement warning of the campaign and urging them to be especially vigilant against diplomats, journalists, university professors, politicians and civil servants, all of whom are reportedly prime targets. rice field.
Delivered via Phishing
AF is a Google Chrome add-on distributed by the actor known as Kimsuky (or Thallium). The threat actor is based in North Korea, which two agencies have claimed is allegedly targeting high-profile individuals with cyber espionage programs.
Thallium initially focused on targets in South Korea, but recently expanded its target list to Europe and the United States.
AF is delivered to victims via phishing. The group will send a regular “urgent” email telling the victim to download the add-on to their endpoint. (opens in new tab) If installed, the malware will not appear in Chrome’s Add-ons list, only Extensions list. Once installed, a single visit to Gmail will run the add-on and extract all your activities.
Kimsuky appears to be a state-sponsored actor focused on cyber espionage and intelligence gathering. According to CISA, the group he has been active for more than 10 years.
In 2015, he was accused of stealing sensitive data from a South Korean hydro-nuclear plant, and four years later, in 2019, he was accused of targeting retired South Korean diplomats, military and government officials. Two years ago, Kimsuky was accused of hiding in an internal network belonging to the Korea Atomic Energy Research Institute.
Via: BleepingComputer (opens in new tab)
