FastViewer

The Kimsuki APT (Advanced Persistent Threat) continues to expand its arsenal of threatening tools. The group is believed to have ties to North Korea and, since at least 2012, has been targeting individuals and organizations from South Korea, Japan and the U.S. The hackers specialize in cyberespionage attack campaigns, trying to infiltrate entities working in the media, research, diplomacy and political sectors.

Details about the new malware threats of the Kimsuki group (Thallium, Black Banshee, Velvet Chollima) were released to the public in a report by cybersecurity researchers at a South Korean cybersecurity company. The researchers were able to identify three mobile threats tracked as FastFire, FastViewer and FastSpy.

FastViewer Technical Details

The FastViewer threat is spread via a modified 'Hancom Office Viewer' application. The legitimate software tool is a mobile document viewer that allows users to open Word, PDF, .hwp (Hangul) and other documents. The real application has over 10 million downloads on the Google Play Store. The Kimsuki hackers have taken the normal Hancom Office Viewer application and repackaged it to now include arbitrary corrupted code. As a result, the weaponized version has a package name, application name, and icon that are extremely similar to the real application. FastViewer is equipped with a certificate in the jks Java-based certificate format.

During installation, the threat will exploit Android's accessibility permissions, as they are needed to facilitate many of its threatening actions. If the malware's requests are granted, FastViewer will be able to receive commands from its operators, establish persistence mechanisms on the infected device and initiate spying routines. 

The threatening behavior of the malware is activated when the modified application is used to scan a document specially crafted by Kimsuki cybercriminals. The file would be converted to a normal document and shown to the user, while the hurtful behavior takes place in the background of the device. The threat will collect numerous information from the device and exfiltrate it to its Command-and-Control server. In addition, one of the main functionalities of FastViewer is to fetch and deploy the third identified Kimsuky threat - FastSpy. This damaging tool exhibits multiple characteristics that are rather similar to an open-source RAT malware, known as AndroSpy. 

FastViewer Video

Tip: Turn your sound ON and watch the video in Full Screen mode.