The Kimsuki APT (Advanced Persistent Threat) group continues to expand its arsenal of threatening tools. The latest identified addition is a trio of mobile threats utilized in attack campaigns targeting victims' Android devices. Details about the previously unknown harmful threats now tracked as FastFire, FastViewer and FastSpy were released in a report by malware researchers from a South Korean cybersecurity company.
The Kimsuki hacker group is believed to be backed by North Korea. Its activities can be traced as far back as 2012 and its targets have consistently been located in South Korea, Japan and the U.S. The hackers have mostly carried out cyberespionage campaigns that aim to collect sensitive information from individuals or organizations involved in the politics, diplomacy, media or research sectors.
The FastSpy threat is deployed on the infected devices by the previous-stage implant FastViewer. The primary function of FastSpy is to provide the attackers with remote control over the victim's device. The threat is capable of acquiring additional privileges by abusing the same Android accessibility API privileges that FastViewer attempts to obtain. It achieves this by displaying a pop-up requesting the needed permission and then a click is simulated on the 'Agree' button. No interaction from the user is required. The method exhibits several characteristics that are similar to what has been previously observed in the Malibot malware threat, as a way to circumvent Google's MFA (multi-factor authentication).
The intrusive capabilities of FasSpy include hijacking the phone, collecting SMS information, tracking the device's location, and monitoring the camera, microphone, speaker, GPs and other functions in real time. The Kimsuki hackers also can utilize the threat to access files on the device and exfiltrate them to the operation's Command-and-Control server. It should be pointed out that S2W's researchers confirmed multiple similarities in the method name, message format, code, functions, etc., between FastSpy and an open-source RAT (Remote Access Trojan) known AndroSpy.
Tip: Turn your sound ON and watch the video in Full Screen mode.