Kimsuky’s TRANSLATEXT Chrome Extension: A New Tool for Data Theft

June 28, 2024

Zscaler ThreatLabz, in March 2024, observed the North Korea-linked threat group Kimsuky using a new malicious Google Chrome extension, TRANSLATEXT, to steal sensitive information. This extension is capable of gathering email addresses, usernames, passwords, cookies, and browser screenshots. The campaign primarily targets South Korean academia, especially those studying North Korean politics.

Kimsuky, a notorious North Korean hacking group, has been active since 2012. They are known for cyber espionage and financially motivated attacks against South Korean entities. The group is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima, and is said to be a sister group of the Lazarus cluster and part of the Reconnaissance General Bureau (RGB).

Recently, Kimsuky has exploited a known security vulnerability in Microsoft Office (CVE-2017-11882) to distribute a keylogger. They have also used job-themed lures in attacks aimed at the aerospace and defense sectors with the aim to deploy an espionage tool with data gathering and secondary payload execution functionalities. Cybersecurity company CyberArmor stated, "The backdoor, which does not appear to have been publicly documented before, allows the attacker to perform basic reconnaissance and drop additional payloads to take over or remotely control the machine." CyberArmor has named this campaign Niki.

The initial access method for the newly discovered activity remains unclear, but Kimsuky is known to use spear-phishing and social engineering attacks to initiate the infection chain. The attack starts with a ZIP archive that appears to be about Korean military history and contains a Hangul Word Processor document and an executable. Upon launching, it retrieves a PowerShell script from an attacker-controlled server, which exports victim information to a GitHub repository and downloads additional PowerShell code via a Windows shortcut (LNK) file.

Zscaler discovered a GitHub account, created on February 13, 2024, briefly hosting the TRANSLATEXT extension under the name "GoogleTranslate.crx," although its delivery method is currently unknown. Security researcher Seongsu Park noted, "These files were present in the repository on March 7, 2024, and deleted the next day, implying that Kimsuky intended to minimize exposure and use the malware for a short period to target specific individuals."

TRANSLATEXT, pretending to be Google Translate, uses JavaScript code to bypass security measures for services like Google, Kakao, and Naver. It captures email addresses, credentials, cookies, and browser screenshots, and exfiltrates stolen data. It is also designed to receive commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all cookies from the browser. Park said, "One of the primary objectives of the Kimsuky group is to conduct surveillance on academic and government personnel in order to gather valuable intelligence."

Related News

• Revived ValleyRAT Malware Exhibits Enhanced Data Theft Techniques
• Rise in USB-Based Cyberattacks on Operational Technology Systems
• TA558 Cybercriminals Exploit Images for Broad Malware Attacks
• Cyber Attackers Utilize Old Microsoft Office Vulnerability to Disseminate Spyware
• APT34 Linked to New Phishing Attacks Deploying SideTwist Backdoor and Agent Tesla Variant

Latest News

• Cryptocurrency Mining Exploitation: The 8220 Gang and Oracle WebLogic Server Vulnerabilities
• Prompt Injection Vulnerability in Vanna AI Library Poses Risk of Remote Code Execution Attacks
• P2Pinfect Worm Targets Redis Servers with Ransomware and Crypto Miners
• Critical SQL Injection Vulnerability in Fortra FileCatalyst Workflow Exposed
• Apple Fixes AirPods Bluetooth Security Flaw Allowing Unauthorized Access