Kimsuky Exploiting TRANSLATEXT Chrome Extension to Swipe Sensitive Information
A group associated with North Korea named Kimsuky has been identified as using a new malevolent Google Chrome extension with the purpose of snatching crucial data as part of an ongoing intelligence operation.
During early March 2024, Zscaler ThreatLabz, who monitored this activity, has codenamed this extension TRANSLATEXT, emphasizing its capability to collect email addresses, usernames, passwords, cookies, and screenshots of browsers.
The targeted operation was directed towards South Korean academia, especially those concentrating on North Korean political matters.
Kimsuky is a widely-known hacking team from North Korea operating since at least 2012, carrying out cyber espionage and financially driven attacks targeting entities in South Korea.
A sister group of the Lazarus cluster and affiliated with the Reconnaissance General Bureau (RGB), Kimsuky is also recognized by names such as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima.
In recent times, the group has exploited a known security loophole in Microsoft Office (CVE-2017-11882) to disseminate a keylogger and has employed alluring job baits in attacks targeting aerospace and defense industries with the intention of implanting an espionage tool with data collection and secondary payload execution features.
“The undisclosed backdoor enables the attacker to conduct basic reconnaissance and introduce additional payloads for assuming control or remote management of the system,” as stated by cybersecurity company CyberArmor.
The exact method of initial access related to the newly discovered activity remains unclear, although the group is inclined to exploit spear-phishing and social engineering tactics to initiate the infection sequence.
The attack begins with a ZIP file purported to be related to Korean military history, containing two files: a Hangul Word Processor document and an executable file.
Execution of the executable fetches a PowerShell script from a server controlled by the attacker, leading to the extraction of information about the compromised victim to a GitHub repository and downloading additional PowerShell code through a Windows shortcut (LNK) file.
Zscaler reported discovering the GitHub account created on February 13, 2024, hosting the TRANSLATEXT extension briefly under the name “GoogleTranslate.crx,” although the distribution method is presently undisclosed.
“These files were found in the repository on March 7, 2024, and were removed the following day, indicating that Kimsuky planned to limit exposure and use the malware for a brief period to target specific individuals,” reported security researcher Seongsu Park.
TRANSLATEXT, disguised as Google Translate, employs JavaScript code to circumvent security protocols of services such as Google, Kakao, and Naver, pilfer email addresses, credentials, and cookies, capture browser screenshots, and transmit stolen data.
Moreover, it’s programmed to fetch commands from a Blogger Blogspot URL to capture screenshots of newly opened tabs and delete all cookies from the browser, among other functionalities.
“One of the main goals of the Kimsuky group is to conduct surveillance on academic and government personnel for garnering valuable intelligence,” highlighted Park.
About Author
