The National Intelligence Service of the Republic of Korea (NIS) and the German Federal Office for the Protection of the Constitution (BfV) published a joint statement warning of a threat actor’s use of Chrome extensions to steal email data from their victims. Kimsuky, otherwise known as Thallium or Velvet Chollima, is a threat actor that specializes in using spear phishing to target journalists, diplomats, government agencies and officials, university professors, and politicians. The statement released by the NIS and BfV details the Chrome extension campaign, as well as the use of malicious Android applications as part of their cyber-espionage efforts. The initial infection point for the extension-based attack has consistently been spear phishing emails which install an extension on Chromium-based browsers named “AF.” This extension automatically begins stealing email content from the victim and uses the Devtools API to relay the data to an attacker-controlled server.
This threat actor has been seen running similar campaigns in the past, but these recent campaigns drew attention from German government authorities due to targeting “experts on issues relating to the Korean Peninsula.” Government bodies publicly speaking out regarding phishing campaigns is a major step in raising awareness about such attacks, which decreases their effectiveness. This campaign is ongoing, with the malicious domains still appearing to be active.
To check for evidence of this attack, users can enter “(chrome|edge|brave)://extensions”, depending on the browser, and look for an extension named “AF.” If present, remove it, change passwords, and try to identify a phishing email that could be associated with this campaign.