FastFire

The APT (Advanced Persistent Threat) group Kimsuki has further expanded its malicious arsenal by adding three new malware threats, according to the findings of cybersecurity experts. The attack tools were analyzed by the researchers at a South Korean cybersecurity company and were given the names FastFire, FastViewer and FastSpy. 

The Kimsuki hacker group (Thallium, Black Banshee, Velvet Chollima) is believed to have been active since at least 2012 and appears to be backed by the North Korean government. Its attack operations have been mostly focused on individual targets or organizations located in South Korea, Japan and the U.S. The apparent goal of the threatening campaigns is to gather sensitive information from the victims working in the media, politics, research and diplomacy fields. 

FastFire Details

The FastFire threat is a mobile threat that shows signs of still being under active development. The threatening APK masquerades as a Google security plug-in. After being installed on the Android device, FastFire will hide its launcher icon to avoid attracting the attention of the victim. The malware will then transmit a device token to the operation's Command-and-Control (C&C, C2) servers and wait for a command to be sent back. Communication between the infected device and the C&C servers is carried out via Firebase Base Messaging (FCM). Firebase is a mobile development platform that offers numerous essential functions, including real-time hosting of content, databases, notifications, social authentication, as well as many other functions. 

The primary task of FastFire appears to be the execution of a deep link calling function. However, at the moment of research, this functionality was not fully implemented. The researchers also note the presence of several classes that are not executed at all. 

FastFire Video

Tip: Turn your sound ON and watch the video in Full Screen mode.