A malicious browser extension for Chrome and other Chromium-based browsers capable of stealing the contents of your Gmail email account has been discovered by security researchers.
The malware campaign was spotted by two national security agencies – the German Federal Office for the Protection of the Constitution, and the National Intelligence Service of the Republic of Korea.
These two agencies issued a joint statement, warning about the campaign, urging people to be vigilant, but particularly diplomats, journalists, university professors, politicians, and government employees, who are all reportedly the main targets.
Delivered via phishing
AF is a Google Chrome add-on distributed by a threat actor known as Kimsuky (or Thallium). This threat actor is based in North Korea, the two agencies claim, and allegedly targets high-profile individuals in their cyber-espionage programs.
While initially focused on South Korean targets, Thallium recently expanded its target list into Europe, and the United States.
AF is delivered to its victims via phishing. The group would send out the usual “urgent” email, telling the victim to download the add-on on their endpoint (opens in new tab). If installed, the malware won’t show up in the list of add-ons on Chrome, and will only be visible in the extension list. Once installed, it only takes one visit to Gmail for the add-on to run and extract all of its activities.
Kimsuky seems to be a state-sponsored actor focused on cyber-espionage and intelligence gathering. According to CISA, the group has been active for more than a decade.
In 2015, it was accused of stealing sensitive data from Korea Hydro & Nuclear Power, and four years later, in 2019, it was accused of targeting retired South Korean diplomats, military and government officials. Two years ago, Kimsuky was accused of lurking in the internal networks belonging to the Korea Atomic Energy Research Institute.
Via: BleepingComputer (opens in new tab)